Certificate chain question

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Certificate chain question

Zaid-2
I have a root CA which is loaded on my browser, the
rootCA certify mysite.com which is also used to
certify part.mysite.com when user go directly to
part.mysite.com the browser complains because the
certifcate chain is not complete. Has anyone
experienced this problem or can perhaps explain why
this would happen?


Thanks,
Zaid

++------------------------------------------------------------++
If we don't believe in freedom of expression for people we despise, we don't believe in it at all.
Chomsky, Noam

Zaid's Blog: http://drummergeek.blogspot.com

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Certificate chain question

Dr. Stephen Henson
On Sat, Feb 11, 2006, Zaid wrote:

> I have a root CA which is loaded on my browser, the
> rootCA certify mysite.com which is also used to
> certify part.mysite.com when user go directly to
> part.mysite.com the browser complains because the
> certifcate chain is not complete. Has anyone
> experienced this problem or can perhaps explain why
> this would happen?
>

If the certificate chain contains one or more intermediate CAs you should
configure the server to include those.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Certificate chain question

Gayathri Sundar-2
In reply to this post by Zaid-2
I think you should load myside.com as well onto the browser..
as it is needed to verify part.myside.com.

Thanks
--G3

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]]On Behalf Of Zaid
Sent: Sunday, February 12, 2006 5:33 AM
To: [hidden email]
Subject: Certificate chain question


I have a root CA which is loaded on my browser, the
rootCA certify mysite.com which is also used to
certify part.mysite.com when user go directly to
part.mysite.com the browser complains because the
certifcate chain is not complete. Has anyone
experienced this problem or can perhaps explain why
this would happen?


Thanks,
Zaid

++------------------------------------------------------------++
If we don't believe in freedom of expression for people we despise, we don't
believe in it at all.
Chomsky, Noam

Zaid's Blog: http://drummergeek.blogspot.com

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Certificate chain question

Pjothi
Here the rootCA signs both myside.com and part.myside.com. So the
certificate chain is as I understand as follows

rootCA -------> signs -----> myside.com
rootCA -------> signs -----> part.myside.com

So, this above scenario would necessiate only rootCA to verify
part.myside.com. It doesn't need myside.com since myside.com does not
sign part.myside.com.

If you have an intermediate CA to sign part.myside.com for ex

rootCA --->signs---> intermediate CA----> signs ----> part.myside.com

then one has to add intermediate CA also to verify
part.myside.com.....So may be you have missed out on the intermediate
CA as Dr.Stephen suggested

cheers and if you solve it pls let me know
Pjothi

On 2/13/06, Gayathri Sundar <[hidden email]> wrote:

> I think you should load myside.com as well onto the browser..
> as it is needed to verify part.myside.com.
>
> Thanks
> --G3
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]]On Behalf Of Zaid
> Sent: Sunday, February 12, 2006 5:33 AM
> To: [hidden email]
> Subject: Certificate chain question
>
>
> I have a root CA which is loaded on my browser, the
> rootCA certify mysite.com which is also used to
> certify part.mysite.com when user go directly to
> part.mysite.com the browser complains because the
> certifcate chain is not complete. Has anyone
> experienced this problem or can perhaps explain why
> this would happen?
>
>
> Thanks,
> Zaid
>
> ++------------------------------------------------------------++
> If we don't believe in freedom of expression for people we despise, we don't
> believe in it at all.
> Chomsky, Noam
>
> Zaid's Blog: http://drummergeek.blogspot.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]