[CentOS] ssl and NameVirtualHost

Thu Apr 10 01:14:25 UTC 2008
Tony Schreiner <schreian at bc.edu>

Jay Leafey wrote:
> Tony Schreiner wrote:
>> Kai Schaetzl wrote:
>>> Tony Schreiner wrote on Wed, 9 Apr 2008 15:29:16 -0400:
>>>
>>> However, you didn't provide any of the information I asked for. You 
>>> are not talking of www.bc.edu, do you?
>>>
>>> Kai
>>>
>>>   
>> ok, ok.
>>
>> https://bioinformatics.bc.edu
>>
>> Tony
>
> I could be full of cheese here, but did VeriSign send you an 
> "intermediate" certificate along with your "real" certificate?  If 
> not, forget the
>
> When I went to the site and examined the cert I noticed that the cert 
> was not signed by one of the CAs in the ca-bundle.crt provided by my 
> copy of openSSL (openssl-0.9.8b-8.3.el5_0.2) on CentOS 5.1.  You can 
> examine the "Issuer" field of the certificate to see who signed it.
>
> I suspect that VeriSign sent you an "intermediate" certificate that 
> was actually used to sign your cert.  Apache has to present the 
> intermediate cert at the same time it presents your "real" cert.  
> Basically, since the intermediate cert was signed by a recognized CA 
> cert and your cert was signed by the intermediate cert, then your cert 
> is "trustworthy".
>
> The easiest way to fix this is to append the intermediate certificate 
> to your "real" certificate file.  I've had a few of these in the past, 
> particularly from smaller CAs that resell other folks's service.
>
> Just a thought!

I'm away from the office now, but I only got one certificate. I didn't 
deal directly with Verisign, but rather went through someone in my IT 
department. I will check on that. Thanks.


Kai, in response to your last message, you say it's fine. Does that mean 
you don't get a dialog saying the site is not verifiable? Because I sure 
do, with several browsers on different platforms.
Tony