[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Chained Certificate Woes [was: Re: Wildcard Certificate Wo
From: |
Daniel Kahn Gillmor |
Subject: |
[Help-gnutls] Chained Certificate Woes [was: Re: Wildcard Certificate Woes] |
Date: |
Mon, 19 May 2008 10:41:46 -0400 |
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) |
On Mon 2008-05-19 10:05:04 -0400, Ben Goldsbury wrote:
> I have a valid wildcard certificate purchased from Godaddy. This
> certificate has the normal cert/key and an issuing certificate. The
> issuing certificate is actually a chain of 3 certificates.
I haven't had a chance to test this myself, but it sounds to me like
you're having a problem with certificate chaining, not with the
wildcard itself. In particular, it sounds like your gnutls-cli
instance can't complete the trust path from the offered certificate to
one of its trusted CAs because it lacks information about the
intermediate CAs.
> Using openssl's tools, I am able to create a valid server/client
> relationship.
Could you post an example of openssl commands you used which
succeeded?
I suspect what you'll need to do is to add the intermediate
certificates to server.crt (i dunno if they should go above or below
the host's certificate) before invoking gnutls-serv, so that they'll
be offered to complete the trust path.
the --x509cafile option for gnutls-serv is there to verify client
certificates, and (afaik) isn't used to select intermediate certs to
send on during the server certificate validation phase of connection
negotiation.
hth,
--dkg
pgp04PhRxWwjH.pgp
Description: PGP signature