[CentOS] Re: ssl and NameVirtualHost

Thu Apr 10 03:58:03 UTC 2008
Scott Silva <ssilva at sgvwater.com>

on 4-9-2008 6:14 PM Tony Schreiner spake the following:
> Jay Leafey wrote:
>> Tony Schreiner wrote:
>>> Kai Schaetzl wrote:
>>>> Tony Schreiner wrote on Wed, 9 Apr 2008 15:29:16 -0400:
>>>>
>>>> However, you didn't provide any of the information I asked for. You 
>>>> are not talking of www.bc.edu, do you?
>>>>
>>>> Kai
>>>>
>>>>   
>>> ok, ok.
>>>
>>> https://bioinformatics.bc.edu
>>>
>>> Tony
>>
>> I could be full of cheese here, but did VeriSign send you an 
>> "intermediate" certificate along with your "real" certificate?  If 
>> not, forget the
>>
>> When I went to the site and examined the cert I noticed that the cert 
>> was not signed by one of the CAs in the ca-bundle.crt provided by my 
>> copy of openSSL (openssl-0.9.8b-8.3.el5_0.2) on CentOS 5.1.  You can 
>> examine the "Issuer" field of the certificate to see who signed it.
>>
>> I suspect that VeriSign sent you an "intermediate" certificate that 
>> was actually used to sign your cert.  Apache has to present the 
>> intermediate cert at the same time it presents your "real" cert.  
>> Basically, since the intermediate cert was signed by a recognized CA 
>> cert and your cert was signed by the intermediate cert, then your cert 
>> is "trustworthy".
>>
>> The easiest way to fix this is to append the intermediate certificate 
>> to your "real" certificate file.  I've had a few of these in the past, 
>> particularly from smaller CAs that resell other folks's service.
>>
>> Just a thought!
> 
> I'm away from the office now, but I only got one certificate. I didn't 
> deal directly with Verisign, but rather went through someone in my IT 
> department. I will check on that. Thanks.
> 
> 
> Kai, in response to your last message, you say it's fine. Does that mean 
> you don't get a dialog saying the site is not verifiable? Because I sure 
> do, with several browsers on different platforms.
> Tony
It went OK at work for me, but at home on my laptop it is untrusted.
So maybe verisign needs to verify it for you.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080409/64b0534f/attachment-0005.sig>