Hi list!

I plan to use wildcard certificates with pound, so I generated a self-
signed cert for "*.foo.bar" for test purposes.

But applying this cert to pound breaks it, also bundling the pseudo-CAs
cert with the PEM cert/key file still gives the following OpenSSL error
message:

pound: starting...
pound: SSL_CTX_use_certificate_chain_file failed - aborted

I tried every possible order of cert, CA-cert and key in the pem file,
but nothing changed except OpenSSL claims the error
"SSL_CTX_use_PrivateKey_file" on some orders.

Do pound or OpenSSL have problems with wildcard certs (or especially the
*)? Or any other problem?

Thankful for any hints and with best regards,
// Veit Wahlich

On Thu, 07 Jul 2005 15:57:47 +0200 Veit Wahlich <cru(at)zodia.de> wrote:

> Hi list!
> 
> I plan to use wildcard certificates with pound, so I generated a self-
> signed cert for "*.foo.bar" for test purposes.
> 
> But applying this cert to pound breaks it, also bundling the
> pseudo-CAs cert with the PEM cert/key file still gives the following
> OpenSSL error message:
> 
> pound: starting...
> pound: SSL_CTX_use_certificate_chain_file failed - aborted
> 
> I tried every possible order of cert, CA-cert and key in the pem file,
> but nothing changed except OpenSSL claims the error
> "SSL_CTX_use_PrivateKey_file" on some orders.
> 
> Do pound or OpenSSL have problems with wildcard certs (or especially
> the*)? Or any other problem?
> 
> Thankful for any hints and with best regards,
> // Veit Wahlich
> 

There are no problems with "wild-card" certificates. The problems you
see are really at the file/format level - somehow you give Pound the
wrong data.

From Pound's (or OpenSSL's) point of view the "wild-card" is just a
certificate for a server named "*.xxx.com". Whether your browser
recognizes or accepts that is a different question.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904