Project

General

Profile

Bug #2916

SSL Certificate vs SSL Issuer Chain input file

Added by Jesse Pepper over 8 years ago. Updated over 8 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Start date:
04/08/2014
Due date:
% Done:

0%

Estimated time:

Description

Hi There,

I'm trying to get SSL working with Wt app, and have specified the ---ssl-certificate command line argument. My certificate issuer however has provided me with both a .crt certificate file and a .ca-bundle "issuer chain". As I understand it, the issuer chain contains a chain of trusted certificates from a known trusted certificate body, to my own, via some intermediaries.

I tried to specify the .ca-bundle file in the ---ssl-certificate argument but received the following error from Wt at startup:

Error (asio): use_private_key_file: key values mismatch

When I use the .crt file itself, it runs fine, and works fine in chrome and safari, but some installations of firefox on windows don't trust the certificate, and the detail they give is as follows:

www.perth.surgerylink.com.au uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

Is it possible to specify the certificate chain file for OpenSSL?

Apache allows the following 3 settings:

SSLCertificateFile /etc/ssl/crt/yourDOMAINNAME.crt 
SSLCertificateKeyFile /etc/ssl/crt/private.key 
SSLCertificateChainFile /etc/ssl/crt/yourSERVERNAME.ca-bundle ***

The SSLCertificateChainFile doesn't seem to be an option in Wt. Is this an oversight? Is it something that is intended to support?

Also, just checking you're aware of this, and 1.01g is supported. http://www.pcworld.com/article/2140920/heartbleed-bug-in-openssl-puts-encrypted-communications-at-risk.html

Also available in: Atom PDF