[Libwebsockets] Including the full SSL certificate chain

andy at warmcat.com andy at warmcat.com
Thu May 7 05:57:35 CEST 2020



On May 7, 2020 1:16:32 AM UTC, Sumit Dubey <sumitd2002 at yahoo.com> wrote:
>
>Dear team,
>I am wondering how to include the full certificate chain using the info
>parameter. Currently I have included the .cert and .key, which Firefox
>refuses to recognise with error code SEC_ERROR_UNKNOWN_ISSUER. Chrome,
>Safari and edge are working fine.

You don't send  'the full certificate chain', since sending the CA cert(s) is pointless.  The client has to have that himself already by other means, trust those means, and trust the CA cert.

What you may do is append intermediates.  You can literally append PEM certs one after the other in the cert file you serve.

The client will then assemble a chain and validate it if possible even if it doesn't have the intermediate(s) locally already.

-Andy

>Thank you Sumit Dubey 
>
>Sent from Yahoo Mail for iPhone


More information about the Libwebsockets mailing list