Ssl – Gandi SSL Certificates + Google Chrome: Unknown Authority

apache-2.2google-chromessl

I'm using a newly issued Gandi.net SSL Certificate and while it works fine most places I get a warning/error in Google Chrome:

https://skitch.com/timharding/f2jjf/google-chrome

I've tested that the chaining is working:

http://www.sslshopper.com/ssl-checker.html#hostname=www.submitten.com

My SSL configuration looks like this:

    SSLCertificateFile    /etc/ssl/certs/submitten.com.2011.crt
    SSLCertificateKeyFile /etc/ssl/certs/submitten.com.2011.key
    SSLCACertificateFile /etc/apache2/ssl.crt/GandiStandardSSLCA.pem
    SSLVerifyClient None

As per their recommendations.

Why is Chrome flagging this problem?

Thanks.

Best Answer

This will be because Gandi.net is not a recognised certification authority in Chrome, unfortunately there's not much you can do with that except wait and hope google accept them as a valid authority and add them to their browser. Alternatively, if you know all your users and you know which use chrome, you could manually install the certificate.

<-- edit -->

After googling a little it appears that gandi advertise Chrome support. Unless they've been revoked or they were lying about it it shouldn't be an issue, your best move is to contact gandi support and ask them about it.

Related Solutions

Google Chrome Enterprise – Any Gotchas

Only a handful of our (100 strong) IT team has it installed. I can't live without it. However, we still have to use IE or FF for certain intranet apps, as Chrome doesn't handle/render those apps correctly. (Or rather, yes I know, the pages aren't build to exacting standards - regardless, the problem exists)

You then have to consider this situation with non-technical users. Are you going to default Chrome? If so, how are the users going to know when it hasn't rendered a page correctly? How will they know to open IE or FF instead? To them, "it's all the interweb thing isn't it?".

I would personally say Chrome is several years away from being enterprise ready - certainly for our enterprise.

Ubuntu – How to view all ssl certificates in a bundle

http://comments.gmane.org/gmane.comp.encryption.openssl.user/43587 suggests this one-liner:

openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -text -noout

It indeed worked for me, but I don't understand the details so can't say if there are any caveats.

updated june 22:

for openssl 1.1.1 and higher: a single-command answer can be found here serverfault.com/a/1079893 (openssl storeutl -noout -text -certs bundle.crt)

Best Answer

Related Solutions

Google Chrome Enterprise – Any Gotchas

Ubuntu – How to view all ssl certificates in a bundle

Related Topic