[CentOS] Re: ssl and NameVirtualHost

Thu Apr 10 08:59:09 UTC 2008
mouss <mouss at netoyen.net>

Scott Silva wrote:
> on 4-9-2008 6:14 PM Tony Schreiner spake the following:
>> Jay Leafey wrote:
>>> Tony Schreiner wrote:
>>>> Kai Schaetzl wrote:
>>>>> Tony Schreiner wrote on Wed, 9 Apr 2008 15:29:16 -0400:
>>>>> However, you didn't provide any of the information I asked for. 
>>>>> You are not talking of www.bc.edu, do you?
>>>>> Kai
>>>> ok, ok.
>>>> https://bioinformatics.bc.edu
>>>> Tony
>>> I could be full of cheese here, but did VeriSign send you an 
>>> "intermediate" certificate along with your "real" certificate?  If 
>>> not, forget the
>>> When I went to the site and examined the cert I noticed that the 
>>> cert was not signed by one of the CAs in the ca-bundle.crt provided 
>>> by my copy of openSSL (openssl-0.9.8b-8.3.el5_0.2) on CentOS 5.1.  
>>> You can examine the "Issuer" field of the certificate to see who 
>>> signed it.
>>> I suspect that VeriSign sent you an "intermediate" certificate that 
>>> was actually used to sign your cert.  Apache has to present the 
>>> intermediate cert at the same time it presents your "real" cert.  
>>> Basically, since the intermediate cert was signed by a recognized CA 
>>> cert and your cert was signed by the intermediate cert, then your 
>>> cert is "trustworthy".
>>> The easiest way to fix this is to append the intermediate 
>>> certificate to your "real" certificate file.  I've had a few of 
>>> these in the past, particularly from smaller CAs that resell other 
>>> folks's service.
>>> Just a thought!
>> I'm away from the office now, but I only got one certificate. I 
>> didn't deal directly with Verisign, but rather went through someone 
>> in my IT department. I will check on that. Thanks.
>> Kai, in response to your last message, you say it's fine. Does that 
>> mean you don't get a dialog saying the site is not verifiable? 
>> Because I sure do, with several browsers on different platforms.
>> Tony
> It went OK at work for me, but at home on my laptop it is untrusted.
> So maybe verisign needs to verify it for you.

here is a possibly related thread: