[Libwebsockets] Including the full SSL certificate chain

Sumit Dubey sumitd2002 at yahoo.com
Thu May 7 06:00:28 CEST 2020


Hi Andy,
Specifying the .ca-bundle seems to have worked. Thanks anyway for the quick response.
Sumit 


Sent from Yahoo Mail for iPhone


On Thursday, May 7, 2020, 9:27 AM, andy at warmcat.com wrote:



On May 7, 2020 1:16:32 AM UTC, Sumit Dubey <sumitd2002 at yahoo.com> wrote:
>
>Dear team,
>I am wondering how to include the full certificate chain using the info
>parameter. Currently I have included the .cert and .key, which Firefox
>refuses to recognise with error code SEC_ERROR_UNKNOWN_ISSUER. Chrome,
>Safari and edge are working fine.

You don't send  'the full certificate chain', since sending the CA cert(s) is pointless.  The client has to have that himself already by other means, trust those means, and trust the CA cert.

What you may do is append intermediates.  You can literally append PEM certs one after the other in the cert file you serve.

The client will then assemble a chain and validate it if possible even if it doesn't have the intermediate(s) locally already.

-Andy

>Thank you Sumit Dubey 
>
>Sent from Yahoo Mail for iPhone


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://libwebsockets.org/pipermail/libwebsockets/attachments/20200507/30bc11dc/attachment.htm>


More information about the Libwebsockets mailing list