Forum OpenACS Q&A: Re: using nsopenssl and certificate bundles

Collapse
2: Re: using nsopenssl and certificate bundles (response to 1)
Posted by russ m on 04/27/09 01:39 AM
OK. Well that was annoying. (partly because I'm dumb - ServerCADir/ServerCAFile in the old AOLserver 3 part of config.tcl are unsurprisingly not relevant when we're running on 4.5.1)

In case anyone has the same problem and finds this thread, what works for me is putting all the certs in one file that's referenced by the CertFile parameter. Order is significant - the file must contain your site certificate first, then the cert for it's signer, and so on back up to the trusted root.

Collapse
3: Re: using nsopenssl and certificate bundles (response to 2)
Posted by Patrick Giagnocavo on 04/27/09 02:09 AM
I will add to this, that this can be a pain.

The best way to debug this is not to keep restarting the AOLserver, but instead to use the command line SSL tool "openssl" to verify the CAFile for correct operation.

The man page for openssl has more information; most likely you will want to read up on how to use "openssl s_client verify" and such.