Solved

Certificate Issue on OpenSSL

Posted on 2004-10-13
2
627 Views
Last Modified: 2007-12-19
I have setup a webserver with Apache 1.3.29, ModSSL with OpenSSL
0.9.7d.

HTTPS works fine from Modzilla browser.  Howerver, when I connect to
the
site with Internet Explorer 6 on Windows, it also throws an error and
claims that one of the certs in the certificate chain expired on  
1/7/2004.

We would prefer that the cert verify through OpenSSL and through  
Internet Explorer.

Notes:  

I have poked around on google group.  Some suggestions were to add the
CACertifcateFile and CACertificatePath.  So, I have created that, now
my httpd.conf looks like this:

<VirtualHost _default_:443>
DocumentRoot "/usr/local/www/docs"
ServerName ppcpb1.myco.com
ServerAdmin root@ppcpb1.myco.com
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
SSLEngine on
SSLCACertificatePath /usr/local/apache/conf/ca.certs/
SSLCACertificateFile /usr/local/apache/conf/ca.certs/chui.pem
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache/conf/ssl.certs/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.certs/private.key


Here is an additional notes, i.e.  From the IE Browser, if you click
on the lock to view the cert, you will see "This certificate has
expired or is not yet valid.".

Thank you in advance for the help...

Cathy



P.S. For reference, I also ran a diagnostic with OpenSSL on the
command
line, and here's what came out:


 > openssl s_client -showcerts -connect ppcpb1.myco.com:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Redwood Shores/O=myco  
Incorporated/OU=Network Engineering/OU=Terms of use at  
www.verisign.com/rpa (c)00/CN=ppcpb1.myco.com
verify error:num=20:unable to get local issuer certificate verify
return:1 depth=0 /C=US/ST=California/L=Redwood Shores/O=myco
Incorporated/OU=Network Engineering/OU=Terms of use at  
www.verisign.com/rpa (c)00/CN=ppcpb1.myco.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Redwood Shores/O=myco  
Incorporated/OU=Network Engineering/OU=Terms of use at  
www.verisign.com/rpa (c)00/CN=ppcpb1.myco.com
verify error:num=21:unable to verify the first certificate verify
return:1
---
Certificate chain
  0 s:/C=US/ST=California/L=Redwood Shores/O=myco  
Incorporated/OU=Network Engineering/OU=Terms of use at  
www.verisign.com/rpa (c)00/CN=ppcpb1.myco.com
    i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign  
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by  
Ref. LIABILITY LTD.(c)97 VeriSign
-----BEGIN CERTIFICATE-----
MIIEgjCCA+ugAwIBAgIQGDCLCaWAA2Qx1aWHAAYjYTANBgkqhkiG9w0BAQUFADCB
ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
NDA5MjAwMDAwMDBaFw0wNTA5MjAyMzU5NTlaMIHGMQswCQYDVQQGEwJVUzETMBEG
A1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEBxQOUmVkd29vZCBTaG9yZXMxGzAZBgNV
BAoUEmlQYXNzIEluY29ycG9yYXZDEcMBoGA1UECxQTTmV0d29yayBFbmdpbmVl55
cmluZzEzMDEGA1UECxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20v
cnBhIChjKTAwMRkwFwYDVQQDFBBwcGNwYjEuaXBhc3MuY29tMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQC2U9D6H+nyD48y/u0ic+6JjpRRPlss6xtPLLdIrQ90
LPLmqQzL3mk3qRvhgluY+LLN/Io60/lNAZLR8g82ZafgSEk6mFCm14Fop7b8dBt5
JCybq474mkt2JF4dp9vMEY7i7l9BI9pmRio+wVEK+HyPNNauTpprgNOOgyl4bpxQ
UQIDAQABo4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8w
PTA7oDmgN4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRp
b25hbFNlcnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsG
AQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8G
CWCGSAGG+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEM
BGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2O
a8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28u
Z2lmMA0GCSqGSIb3DQEBBQUAA4GBAKQMPdD5hiYJUPiunMoKHaHetlETG6gdXeSW
MtYECFKr0QxaGsJdeZs469DvN2LaSxJ3ANga+9smzEA7zktk0wpd1M7XargrD8ph
cel9+uDcOdlyyPHXaHc4XJ5c+uaOSOwvx6+gKi1wpZBbDy/pZVrTqkwvB2EWGUPr
8EY6/XjL
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Redwood Shores/O=myco  
Incorporated/OU=Network Engineering/OU=Terms of use at  
www.verisign.com/rpa (c)00/CN=ppcpb1.myco.com issuer=/O=VeriSign Trust
Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by  
Ref. LIABILITY LTD.(c)97 VeriSign
---
No client certificate CA names sent
---
SSL handshake has read 1722 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID:  
898C0917843CB7FE028EABC6A0D302BBC794A227C525E9B8941373ED28006711
     Session-ID-ctx:
     Master-Key:  
5A8EE0FC1A09D3E7AAA092F4DC4A935211F039737465EF6CB75BF7D18424A767E481AFAC
87A74A4799A6A72EF68D3CF4
     Key-Arg   : None
     Start Time: 1097194394
     Timeout   : 300 (sec)
     Verify return code: 21 (unable to verify the first certificate)
0
Comment
Question by:cklh
  • 2
2 Comments
 
LVL 15

Expert Comment

by:periwinkle
ID: 12328285
Regarding:

Howerver, when I connect to the site with Internet Explorer 6 on Windows, it also throws an error and
claims that one of the certs in the certificate chain expired on  1/7/2004.

This error is literally with an intermediate certificate; See: http://support.microsoft.com/default.aspx?scid=kb;en-us;834438
for full details.  

The Summary from the above article:

The previous VeriSign 128-bit International (Global) Server Intermediate certification authority certificate expired on January 7, 2004. This may cause problems for clients that try to establish server-authenticated secure socket layer (SSL) connections with Web servers and other SSL/Transport Layer Security (TLS)-enabled applications that do not have up-to-date certificates.

To prevent these problems, Microsoft Internet Information Services (IIS) operators should contact VeriSign to update the intermediate certification authority certificates for servers that use 128-bit SSL to connect to Web sites with the Secure Hypertext Transfer Protocol.
0
 
LVL 15

Accepted Solution

by:
periwinkle earned 250 total points
ID: 12328327
Here's the Verisign page that announces this:

http://www.verisign.com/support/vendors/exp-gsid-ssl.html

which also contains a link to how to update the cert.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now