Tuesday, November 30, 2010

Commercial SSL certificate untrusted - what did I pay for?

I recently bought a commercial SSL certificate, and was slightly mystified as to why the browser was calling it untrusted. How could they possibly be selling certs that Firefox doesn't trust? After some head scratching I realised the answer was that I needed to install the intermediate certificates (provided by the CA) on the server side, to complete the chain of trust.

During the SSL certificate exchange the web server (in this case Apache) can provide the client with additional certificates to enable it to establish a chain of trust.  Use the SSLCertificateChainFile directive in your site config, something like:

    SSLCertificateChainFile /etc/apache2/ssl/ExternalCARoot1.crt
    SSLCertificateChainFile /etc/apache2/ssl/CACompanySecureServerCA.crt

According to the apache help, you can cat these two together and just specify one file.  Say the browser trusts RootCA1, it can check that RootCA1 signed ExternalCARoot1.crt, which signed CACompanySecureServerCA.crt, which signed my certificate. Without those intermediate certificates, the browser cannot establish trust.

No comments: