I am running Apache 2.2.15 on Red Hat 6.3, and I can't get certificate chains to work properly.
I am using my organisations PKI for certificate signing etc, which does not publish their root certificate to the internet.
So, I am using the directives SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile
I created my 2048 bit RSA key using openssl genrsa, and then used openssl to create a request from this key, and signed it using our Windows 2008 R2 CA.
I point to this signed certificate file with SSLCertificateFile.
The problem I have is with the chain file.
I have the root, intermediate and server certificates in PEM format, and have tried various combinations of these (concatenating the text files) to create the chain file e.g.
root
inter
server
server
inter
root
inter
root
root
inter
None of these work
To test this, I am doing the following:
openssl s_client -connect myserver.com:443 -CAfile root.cer
And the error I am getting is Verify return code: 21 (unable to verify the first certificate)
However, the weird thing is when I run the following on the server:
openssl s_client -connect 127.0.0.1:443 -CAfile root.cer
it works fine, I get a '0' return code, and can see the certificate chain at the top of the output.
So what is going on?
Without the chain file in place, I get the padlock icon in a web browser, but I am required to use curl in a separate script to connect to it, and this won't work in secure mode if the chaining doesn't work properly.
