[Help-gnutls] Chained Certificate Woes [was: Re: Wildcard Certificate Woes]
Daniel Kahn Gillmor
dkg-debian.org at fifthhorseman.net
Mon May 19 16:41:46 CEST 2008
On Mon 2008-05-19 10:05:04 -0400, Ben Goldsbury wrote:
> I have a valid wildcard certificate purchased from Godaddy. This
> certificate has the normal cert/key and an issuing certificate. The
> issuing certificate is actually a chain of 3 certificates.
I haven't had a chance to test this myself, but it sounds to me like
you're having a problem with certificate chaining, not with the
wildcard itself. In particular, it sounds like your gnutls-cli
instance can't complete the trust path from the offered certificate to
one of its trusted CAs because it lacks information about the
intermediate CAs.
> Using openssl's tools, I am able to create a valid server/client
> relationship.
Could you post an example of openssl commands you used which
succeeded?
I suspect what you'll need to do is to add the intermediate
certificates to server.crt (i dunno if they should go above or below
the host's certificate) before invoking gnutls-serv, so that they'll
be offered to complete the trust path.
the --x509cafile option for gnutls-serv is there to verify client
certificates, and (afaik) isn't used to select intermediate certs to
send on during the server certificate validation phase of connection
negotiation.
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20080519/f2617810/attachment.pgp>
More information about the Gnutls-help
mailing list