Reputation: 7506
Openssl need to use CA bundle file (Intermediate cert)
I just purchased a SSL certificate from Go Daddy. Great price, but it seems that it has a draw back.
It seems to need the bundle.crt in order to work correctly on must browser. I'm not yet really sure what it is, from what I have understand it is an intermediate certificate from Certificate Authority. Correct me if I'm wrong So in my software I have openssl
SSL_CTX_set_default_passwd_cb(SSL_ctx, pem_passwd_cb);
SSL_CTX_use_PrivateKey_file(SSL_ctx, _private_key, SSL_FILETYPE_PEM);
SSL_CTX_use_certificate_file(SSL_ctx, _certificate, SSL_FILETYPE_PEM);
SSL_CTX_use_certificate_chain_file(SSL_ctx, "./ssl_key/bundle.pem");
SSL_CTX_set_session_cache_mode(SSL_ctx,SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL);
SSL_CTX_set_quiet_shutdown(SSL_ctx, 1);
The error I get is :
You didn't run init properly or an error occured.
With lasts certs (geotrust) I didn't need the bundle intermediate, I'm really lost here.
Since SSL_CTX_use_certificate_chain_file accepts only PEM files, I have converted the bundle.crt file to PEM using openssl.
Any idea ?
Thanks!
EDIT 1 : Apparently Intermediate certificate must be on the /etc/ssl/certs folder. I have putted every intermediate certificate from go-daddy on this folder, and still no luck... I have removed the line
SSL_CTX_use_certificate_chain_file(SSL_ctx, "./ssl_key/bundle.pem");
Which seems to be no use for me here...
Upvotes: 2
Views: 2032
Answers (1)
Reputation: 7506
Okay, after testing one million things I finally found out.
I didn't convert the bundle.crt into PEM. I have pasted the certificate file directly in the bundle.crt (at the beginning of the file)
I have removed this line on my code :
SSL_CTX_use_certificate_file(SSL_ctx, _certificate, SSL_FILETYPE_PEM);
So here's the final code for SSL init :
SSL_CTX_set_default_passwd_cb(SSL_ctx, pem_passwd_cb);
SSL_CTX_use_PrivateKey_file(SSL_ctx, _private_key, SSL_FILETYPE_PEM);
SSL_CTX_use_certificate_chain_file(SSL_ctx, "./ssl_key/bundle.crt");
SSL_CTX_set_session_cache_mode(SSL_ctx,SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL);
SSL_CTX_set_quiet_shutdown(SSL_ctx, 1);
Hope this helps someone, and save them a lot of time (1 full day for me ;-))
Upvotes: 3
Related Questions
- How to manage certificates using OpenSSL in c++?
- How can I read certificate to verify signature with openssl?
- OpenSSL error: unable to verify the first certificate
- using SSL without certificate
- OpenSSL certificate error
- OpenSSL Ignore Self-signed certificate error
- OpenSSL certificate lacks key identifiers
- Certificate error open ssl C
- SSL Certificate verification fails: Using OpenSSL
- OpenSSL code woes