Hello!

I'm trying to switch to new wildcard certificate provided by DigiCert, but I
have small issue:

http://www.digicert.com/help/index.htm
says that

"This certificate is not trusted in all web browsers. You may need to
install an Intermediate/chain certificate to link it to a trusted root
certificate."

Certificate (with the intermediate cert.) is visible and recognized by
browsers on Windows (FF, IE, Safari), however same browsers on Mac OSX
(Safari, FF) claim that it is not signed by trusted CA.

Important parts of pound configuration are:

         Cert    "/etc/pound/host.pem"
         CAList  "/etc/pound/DigiCertCA.crt"

where host.pem contain:

-----BEGIN RSA PRIVATE KEY-----
(...my private key used to generate CSR)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(...certificate provided by DigiCert)
-----END CERTIFICATE-----

and ca-c contain:
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----

So: root and intermediate certificate provided by DigiCert.
Whats more interesting:

openssl verify -CAfile DigiCertCA.crt host.pem
host.pem: OK

do you have any hints?

Thanks in advance

Grzegorz Danecki

We don't use a CAlist directive in our Pound configuration.  We only  
use the Cert directive, e.g.:

	Cert	"/etc/sslcerts/wildcard-combined.pem"

We construct a single PEM file for the SSL certificate chain, which  
contains:

    1. certificate for *.your.domain.tld (let's call that file  
_.your.domain.tld.crt)
    2. RSA private key (passphrase-free) for the *.your.domain.tld  
certificate (let's call that file _.your.domain.tld.key)
    3. certificate for the CA that signed *.your.domain.tld (typically  
DigiCertCA.crt)

To construct this PEM file, you'll probably do something like this:

# cat _.your.domain.tld.crt _.your.domain.tld.key DigiCertCA.crt >  
wildcard-combined.pem

On Jun 10, 2009, at 6:50 AM, Grzegorz Danecki wrote:
[...]

Karl Ward
Hunter College ICIT
karl.ward(at)hunter.cuny.edu