[jadmin] issues install startcom ICA cert on jabberd2
Norman Rasmussen
norman at rasmussen.co.za
Mon Dec 11 14:00:55 CST 2006
On 12/11/06, Peter Saint-Andre <stpeter at jabber.org> wrote:
> Norman Rasmussen wrote:
> > so, i got a startcom cert, *yay* it's better than the private CA
> > signed one I had before *yay*. Psi-0.9 complains that the names don't
> > match :-( Psi-dev matches, but still complains about cert chain.
>
> I haven't tested that. Does psi-dev include the ICA cert?
err, not yet. But I added the root cert manually - and it works, I
shouldn't need to add the ICA cert.
> > Firefox complains about cert chain, try https://darkskies.za.net:5223/
>
> You need to import the ICA cert into Firefox if you want the complete
> trust chain in your browser. Firefox 2 includes the StartCom root cert
> but not the ICA cert.
Root cert is in browser, ICA isn't - shouldn't need to be.
> > my c2s.xml:
> >
> > <pemfile>/etc/ssl/certs/xmppd.pem</pemfile> (this contains: `openssl
> > x509 -in xmppd.crt -text` + xmppd.key)
> >
> > and:
> >
> > <cachain>/etc/ssl/startcom-sub.class1.xmpp.ca.crt</cachain>
> >
> > I couldn't figure out how to get startcom-ca.crt and
> > startcom-sub.class1.xmpp.ca.crt into one file :-( any tips?
>
> You don't do that. Well, at least in ejabberd you don't. Instead, you
> include both the root cert and the ICA cert separately (plus your domain
> cert issued by the ICA). Not sure how PEM files work, though, maybe they
> concatenate the root cert and ICA cert?
ugh, I just read the jabberd2 source, it seems that 2.0s10 should be
okay. sx/ssl.c was broken in rev1.27 which is still HEAD *whew*
SSL_CTX_use_certificate_chain_file() loads a certificate chain from
file into ctx. The certificates must be in PEM format and must be
sorted starting with the subject's certificate (actual client or server
certificate), followed by intermediate CA certificates if applicable,
and ending at the highest level (root) CA.
ahh, ha! /me goes off to reformat cacert file
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the JAdmin
mailing list