[Help-gnutls] Chained Certificate Woes [was: Re: Wildcard Certificate Woes]

Daniel Kahn Gillmor dkg-debian.org at fifthhorseman.net
Mon May 19 16:41:46 CEST 2008


On Mon 2008-05-19 10:05:04 -0400, Ben Goldsbury wrote:

> I have a valid wildcard certificate purchased from Godaddy.  This
> certificate has the normal cert/key and an issuing certificate.  The
> issuing certificate is actually a chain of 3 certificates.

I haven't had a chance to test this myself, but it sounds to me like
you're having a problem with certificate chaining, not with the
wildcard itself.  In particular, it sounds like your gnutls-cli
instance can't complete the trust path from the offered certificate to
one of its trusted CAs because it lacks information about the
intermediate CAs.

> Using openssl's tools, I am able to create a valid server/client
> relationship.

Could you post an example of openssl commands you used which
succeeded?

I suspect what you'll need to do is to add the intermediate
certificates to server.crt (i dunno if they should go above or below
the host's certificate) before invoking gnutls-serv, so that they'll
be offered to complete the trust path.

the --x509cafile option for gnutls-serv is there to verify client
certificates, and (afaik) isn't used to select intermediate certs to
send on during the server certificate validation phase of connection
negotiation.

hth,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20080519/f2617810/attachment.pgp>


More information about the Gnutls-help mailing list