https support of intermediate certificate authority

[loicjaouen]

When requesting a site (or leaf) certificate, it is likely that it is issued by an intermediate certificate authority.

Commonly, the web architecture expects the server to provide the intermediate's certificate authority's own certificate (CAcert).

Sipi should have a way to add the intermediate CAcert .

One file can hold several certificates, and the file passed to the ssl_certificate configuration argument could hold both the intermediate CAcert and the site's cert. I tested and it doesn't work.

There is no documented way to point an intermediate CAcert file to sipi.

[loicjaouen]

it is possible to use openssl s_client to test the certificate chain. I attach the output of openssl s_client calls for:

• a full chain (with root, intermediate and leaf certificates)
• a missing link

it is diff-friendly as the final target is the same sipi server, one being called through a proxy taking care of the ssl layer and certificates and getting to sipi through http, the other directly on sipi using https.

The server is not yet publicly available.

[lrosenth]

I will have a look at it. Right now, I do not yet understand fully.... :-( I will contact @loicjaouen

[loicjaouen]

when I requested a to sign my certificate for our sipi server, I received a certificate signed by QuoVadis, not directly by the QuoVadis root authority but by an intermediate layer.
This makes the chain:
QuoVadis Root CA 2 -> QuoVadis EV SSL ICA G1 -> sipi.unil.ch

If the browser can't check all of the links, the chain is untrusted.

It should be possible to provide the cert of an intermediate signing authority in the config file:

ssl_key = './certificate/key.pem',
ssl_certificate = './certificate/certificate.pem',
ssl_intermediate_certificate = './certificate/intermediate.pem',

Exposing a work-around might help to understand the cause; in our case we delegate the security layer to an apache http proxy and its config, concerning this, looks like this:

                SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/sipi.unil.ch.crt.pem
                SSLCertificateKeyFile   /etc/ssl/certs/sipi.key
                SSLCertificateChainFile /etc/ssl/certs/quovadis-ev-ssl-ica-g1.pem

Here it is in full length:

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerName sipi.unil.ch

                ServerAdmin loic.jaouen@unil.ch

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/sipi.unil.ch.crt.pem
                SSLCertificateKeyFile   /etc/ssl/certs/sipi.key
                SSLCertificateChainFile /etc/ssl/certs/quovadis-ev-ssl-ica-g1.pem

                AllowEncodedSlashes NoDecode

                ProxyPreserveHost On
                ProxyPass "/" "http://sipi:1024/"
                ProxyPassReverse "/" "http://sipi:1024/"

                RewriteEngine On
                AddOutputFilterByType SUBSTITUTE application/json
                Substitute "s|http://localhost:1024|https://sipi.unil.ch|ni"
        </VirtualHost>
</IfModule>

[subotic]

Hi Loic

I'm not sure (just a hunch), but according to this, you should use SSLProxyEngine instead of SSLEngine.

[loicjaouen]

thanks @subotic , my understanding is that SSLProxyEngine is needed on the proxy if the remote server is serving https connections (in their example they most probably -we don't see the full config file- use both as they modify the default ssl config, and SSLProxyEngine is not needed as they target a http remote server).

[subotic]

Are you sure? This is how Atlassian described the flow:

Client Browser -> HTTPS -> Apache Proxy -> HTTP -> Tomcat (JIRA)

I have no idea. I read the apache documentation regarding SSLProxyEngine, but the description is very short and can be understood both ways.

[lrosenth]

Just an Update: I'll try to implement this directly in SIPI... Have to dig into SSL docu.... :-(