How to use chained SSL certificates

20 Jan 2011 by David (admin)
Tags: , , , , , , , , ,
Yesterday I bought a new SSL certificate. Apparently, Thawte decided it to use a longer key, which resulted in using another root cert. As a result, I now have a chained certificate instead. As I hadn't noticed this, some of my customers got error messages. Anyway, I got it fixed now.

What are chained SSL certificates?

Normal "single root" certs are only certified by one single parent which is recognised by clients immediately. Chained certs on the other side are signed by a parent which itself is signed by another parent. This effectively makes your cert a "grandchild" of the CA root. In the image attached you'll see a cert that is chained by two intermediate certs.

How to use chained SSL certificates?

The several server software distributions require different types of configuration. This page is not telling you how to set up ssl for your software, I'm just telling how to use chained certs with the different programs.

Apache

Apache has quite some SSL functionality on board. I'm not gonna discuss it all, just want to say that the words you're looking for are:
SSLCertificateFile [path to crt file here] SSLCertificateKeyFile [path to key file here] SSLCACertificateFile [path to intermediate ca certs bundle here]
I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.

PureFTPd

My PureFTPd key and cert are all located in /etc/pure-ftpd/pure-ftpd.pem. In order to make ftp clients accept the SSL cert, i performed the following steps:
  1. I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.
  2. I combined the contents of the key, my own cert and the intermediate CA certs to /etc/postfix/ssl/smtpd.pem. I don't know if the order of the certs is important, but just to be sure I went back one parent at a time. So my file contains from top to bottom: my private key, certificate for my domain, thawte DV SSL CA, thawte primary root. It doesn't need thawte primary server CA as your client already has this one.
  3. Test it: openssl s_client -connect [your-hostname]:21 -starttls ftp

Dovecot

My dovecot SSL key is located in /etc/pki/dovecot/private/dovecot.pem and my SSL cert is /etc/pki/dovecot/certs/dovecot.pem. In order to make email clients accept the SSL cert, i performed the following steps:
  1. I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.
  2. I added the contents of the intermediate CA certs to /etc/pki/dovecot/certs/dovecot.pem. I don't know if the order of the certs is important, but just to be sure I went back one parent at a time. So my file contains from top to bottom: YourDomain.com, thawte DV SSL CA, thawte primary root. It doesn't need thawte primary server CA as your client already has this one.
  3. Test pop3s: openssl s_client -connect service.jxs.nl:995
  4. Test imaps: openssl s_client -connect service.jxs.nl:995

Postfix

My postfix key and cert are all located in /etc/postfix/ssl/smtpd.pem. In order to make email clients accept the SSL cert, i performed the following steps:
  1. I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.
  2. I combined the contents of the key, my own cert and the intermediate CA certs to /etc/postfix/ssl/smtpd.pem. I don't know if the order of the certs is important, but just to be sure I went back one parent at a time. So my file contains from top to bottom: my private key, certificate for my domain, thawte DV SSL CA, thawte primary root. It doesn't need thawte primary server CA as your client already has this one.
  3. Test smtps: openssl s_client -connect [your-hostname]:465
  4. Test smtp with starttls: openssl s_client -connect [your-hostname]:25 -starttls smtp
© GeekLabInfo

Was this page useful?

Please rate this page and/or leave a comment.
1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 4.83 out of 5)
Loading ... Loading ...

Leave a Reply

Pages

Search

Tags

3com 4250T 5216k access point acpi Acrobat Active Directory AD ad-hoc wifi Adobe Apache Asterisk Asterisk 1.8 autorepair backdoor barcode bash bat batch Belkin bios bootloader CentOS CentOS 5 CentOS 6 certificates checksum cmos console access cookies CUPS database databases Dead default password Dell dhcp digital invoice dns dnsmasq dovecot Dymo dynamic dns dyndns e-commerce EAN13 Esx Esx4 Exchange Exchange 2007 fax Fedora Fedora 13 Fedora 15 Fedora 16 Firefox firewall firmware fix FoIP fonts ftp fuckup ghostscript Google Google apps Google Chrome Google Maps Google Talk GPO grub gvfs-open H200 hibernation http hushlogin initrd internet explorer iproute2 iptables IPv6 jQuery KB953297 KB974417 KBsomething KDE Konsole layer8 LDAP ldifde Linux login Lovelock lpd magento mkinitrd mplayer ms office ms office 2010 mysql Nagios networking NetworkManager NoteToSelf NTLM nullmodem nvram Omniview OpenSSL openvpn password patch pcl pdf PERC PHP Postfix PostScript preload printer privacy proxy pstn pureftpd pxe rant reboot RedHat remote remote wipe reset password Review root root access route router rpm Samba Samsung Galaxy S2 scripting securit security SELinux Sendmail SEO Servicetag shutdown SMTP socat software deployment Spam speed-up SQL Server Express squid ssh SSL starttls stupid switch sysinternals syslinux talk tftp thawte Thunderbird Trend Micro updates v4l v4l2 vdr viclient video VMWare VMWare Data Recovery vnc voice voip vpn vSphere vsphere client wbinfo webapps webcam wf.msc wifi winbind Windows Windows 7 Windows 2003 Windows 2008 SBS windows internal database Windows Updates Windows XP wmic WordPress WordPress plugins wscript WSUS wsusutil WYukon