Forum OpenACS Q&A: using nsopenssl and certificate bundles

1: using nsopenssl and certificate bundles

Posted by russ m on 04/27/09 12:17 AM

Hi All,

We have a couple of old clients running OpenACS based systems, one of whom has just had a new ssl certificate issued. The CA is Comodo/instantssl who has provided us with the actual cert. as well as 4 additional certs to chain back to the browser's trusted root.

Unfortunately for me I can't figure out how to get nsopenssl (3.0b26) to use these extra certs in ssl negotiation, so we're getting "certificate signed by an untrusted authority" errors.

I've tried bundling the extra certs into the file referenced by nsopenssl's CertFile parameter, as well as the CADir/CAFile items, but haven't found a combination that actually does the right thing. Are there any docs around for using CA certificates with nsopenssl?

cheers

Russell

2: Re: using nsopenssl and certificate bundles (response to 1)

Posted by russ m on 04/27/09 01:39 AM

OK. Well that was annoying. (partly because I'm dumb - ServerCADir/ServerCAFile in the old AOLserver 3 part of config.tcl are unsurprisingly not relevant when we're running on 4.5.1)

In case anyone has the same problem and finds this thread, what works for me is putting all the certs in one file that's referenced by the CertFile parameter. Order is significant - the file must contain your site certificate first, then the cert for it's signer, and so on back up to the trusted root.

3: Re: using nsopenssl and certificate bundles (response to 2)

Posted by Patrick Giagnocavo on 04/27/09 02:09 AM

I will add to this, that this can be a pain.

The best way to debug this is not to keep restarting the AOLserver, but instead to use the command line SSL tool "openssl" to verify the CAFile for correct operation.

The man page for openssl has more information; most likely you will want to read up on how to use "openssl s_client verify" and such.