[Help-gnutls] Re: Chained Certificate Woes [was: Re: Wildcard Certificate Woes]
bgoldsbury at gleim.com
Mon May 19 17:00:29 CEST 2008
Thanks for your help. I was able to fix the problem with your advice.
For reference, I used the order of "my cert" -> "goddady cert" ->
"valicert cert" (or least -> most trusted) to create my new server.crt.
I realized after the fact that my openssl s_client/s_server setup was
invalid and giving me bad data.
I owe you a box of cookies.
On Mon, 2008-05-19 at 10:41 -0400, Daniel Kahn Gillmor wrote:
> On Mon 2008-05-19 10:05:04 -0400, Ben Goldsbury wrote:
> > I have a valid wildcard certificate purchased from Godaddy. This
> > certificate has the normal cert/key and an issuing certificate. The
> > issuing certificate is actually a chain of 3 certificates.
> I haven't had a chance to test this myself, but it sounds to me like
> you're having a problem with certificate chaining, not with the
> wildcard itself. In particular, it sounds like your gnutls-cli
> instance can't complete the trust path from the offered certificate to
> one of its trusted CAs because it lacks information about the
> intermediate CAs.
> > Using openssl's tools, I am able to create a valid server/client
> > relationship.
> Could you post an example of openssl commands you used which
> I suspect what you'll need to do is to add the intermediate
> certificates to server.crt (i dunno if they should go above or below
> the host's certificate) before invoking gnutls-serv, so that they'll
> be offered to complete the trust path.
> the --x509cafile option for gnutls-serv is there to verify client
> certificates, and (afaik) isn't used to select intermediate certs to
> send on during the server certificate validation phase of connection
More information about the Gnutls-help