SSL root certificates

igorclark · March 17, 2008, 1:49pm

Hi there

One of our clients has insisted on using Verisign SSL certificates.

According to
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657
I need to install the Verisign Root CA.

I thought I needed to add this to nginx config using
ssl_client_certificate but I’ve tried a variety of their CA certs in
ssl_client_certificate but I still get “This cert was signed by an
untrusted authority”.

I see from this mailing list message:

On 6 Sep 2007, at 15:37, Igor S. wrote:

ssl_client_certificate is usualy your own ceritificate, that you use
to sign some certificates and give them to clients. Client should
import these certificates into their browsers.

so perhaps this isn’t right.

Does anybody have experience using Verisign certs with nginx?
How can I add the custom Verisign root CA?

Thanks very much,
Igor

igorclark · March 17, 2008, 1:53pm

On Mon, Mar 17, 2008 at 12:34:25PM +0000, Igor C. wrote:

One of our clients has insisted on using Verisign SSL certificates.

According to
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657
I need to install the Verisign Root CA.

I thought I needed to add this to nginx config using
ssl_client_certificate but I’ve tried a variety of their CA certs in
ssl_client_certificate but I still get “This cert was signed by an
untrusted authority”.

Will your client create own certificates, sign them using Verisign CA,
and pass them to install to the client’s browsers ?

Or simply do they want to set one Verisign certificate on their site ?

igorclark · March 17, 2008, 1:56pm

Instead of using ssl_certificate_client, shouldn’t you be using
ssl_certificate directive?

I don’t have a Verisign certificate, so I can’t tell if it works or not.

igorclark · March 17, 2008, 2:02pm

Hi Igor,

On 17 Mar 2008, at 12:43, Igor S. wrote:

I thought I needed to add this to nginx config using
ssl_client_certificate but I’ve tried a variety of their CA certs in
ssl_client_certificate but I still get “This cert was signed by an
untrusted authority”.

Will your client create own certificates, sign them using Verisign CA,
and pass them to install to the client’s browsers ?

Or simply do they want to set one Verisign certificate on their site ?

Simply want to use one Verisign certificate for an SSL section of the
site.

Thanks!
Igor

igorclark · March 17, 2008, 2:32pm

Hi Thomas, sorry, perhaps I should have been clearer, this is just for
the authority’s root CA file.

Anyway it’s fixed with Igor’s help now, but thanks for your reply.

Cheers,
Igor

igorclark · March 17, 2008, 2:37pm

Thanks Igor, that worked!

For reference, it had to be my certificate first.

Cheers,
Igor

igorclark · March 17, 2008, 2:14pm

On Mon, Mar 17, 2008 at 12:52:21PM +0000, Igor C. wrote:

and pass them to install to the client’s browsers ?

Or simply do they want to set one Verisign certificate on their site ?

Simply want to use one Verisign certificate for an SSL section of the
site.

Then you do not need ssl_client_certificate. You need to concatenate
your certificate with Verisign intermediate one:

cat your_cert.crt intermediate.crt > cert.crt

However, I’m not not sure about certificates order:
i.e yours + intermediate vs intermediate + yours.