[jadmin] issues install startcom ICA cert on jabberd2
Peter Saint-Andre
stpeter at jabber.org
Mon Dec 11 14:09:29 CST 2006
Norman Rasmussen wrote:
> On 12/11/06, Peter Saint-Andre <stpeter at jabber.org> wrote:
>> Norman Rasmussen wrote:
>> > so, i got a startcom cert, *yay* it's better than the private CA
>> > signed one I had before *yay*. Psi-0.9 complains that the names don't
>> > match :-( Psi-dev matches, but still complains about cert chain.
>>
>> I haven't tested that. Does psi-dev include the ICA cert?
>
> err, not yet. But I added the root cert manually - and it works, I
> shouldn't need to add the ICA cert.
You're right, I'm wrong. :-)
>> > my c2s.xml:
>> >
>> > <pemfile>/etc/ssl/certs/xmppd.pem</pemfile> (this contains: `openssl
>> > x509 -in xmppd.crt -text` + xmppd.key)
>> >
>> > and:
>> >
>> > <cachain>/etc/ssl/startcom-sub.class1.xmpp.ca.crt</cachain>
>> >
>> > I couldn't figure out how to get startcom-ca.crt and
>> > startcom-sub.class1.xmpp.ca.crt into one file :-( any tips?
>>
>> You don't do that. Well, at least in ejabberd you don't. Instead, you
>> include both the root cert and the ICA cert separately (plus your domain
>> cert issued by the ICA). Not sure how PEM files work, though, maybe they
>> concatenate the root cert and ICA cert?
>
> ugh, I just read the jabberd2 source, it seems that 2.0s10 should be
> okay. sx/ssl.c was broken in rev1.27 which is still HEAD *whew*
>
> SSL_CTX_use_certificate_chain_file() loads a certificate chain from
> file into ctx. The certificates must be in PEM format and must be
> sorted starting with the subject's certificate (actual client or
> server
> certificate), followed by intermediate CA certificates if applicable,
> and ending at the highest level (root) CA.
>
> ahh, ha! /me goes off to reformat cacert file
OK, cool. We need to make a good README about all this, so please do
post further information about how to make the PEM file or whatever.
Peter
--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/jadmin/attachments/20061211/af0b00ed/smime-0004.bin
More information about the JAdmin
mailing list