1

To use SSL, the web server that I am using requires the location of a single .pem file (-ssl_cert xyz.pem)

I have a certificate issued by GoDaddy. They gave me the file:

banana.crt

The preceding certificate request was created using a private key I generated

banana.key

Googling seems to suggest that creating a .pem file is as simple as concatenating them.

cat banana.key banana.crt > banana.pem

Unfortunately, starting the server with banana.pem, and visiting it with Safari tells me:

Issued by: Go Daddy Secure Certificate Authority

This certificate was signed by an unknown authority

What's going wrong? Have I or GoDaddy screwed something up in the creation of the certificate, or do I somehow have to mix something from here in to my .pem file?

I'm visiting with a fully up to date OS X Leopard + Safari installation.

Community
  • 1
xyz
  • 501
  • 1
  • 7
  • 13

3 Answers3

6

Depending on which type of certificate you have, go to https://certs.godaddy.com/Repository.go and download the appropriate intermediate certificate chain (one of the .crt files, most likely this one). Paste that into your PEM file along with your own certificate and key.

Nate
  • 2,316
  • 4
  • 21
  • 24
  • 1
    +1. I just recently had to do this with a GoDaddy cert. You simply have your private key, the intermediate root CA and finally your cert inside the PEM file - I'm not 100% but I believe the order is important. – CapBBeard Aug 31 '09 at 04:36
3

Your creation of the .pem file is fine. If it wasn't then HTTP server is unlikely to start.

Assuming that you have a GoDaddy root certificate in your browser's trusted certs, then the certificate that they have provided you is what's known as a "chained" certificate. This means that it hasn't been signed directly by their root. It is signed by an intermediatory CA which in itself is signed by the root.

In order for your browser to trust the chained certificate it needs to know of all certificates in the chain. In Apache this is accomplished with the SSLCertificateChainFile directive, which pushes the other certificates in the chain to the client during the SSL handshake process.

You'll need to find a substitute for this directive in Mongoose. The manual doesn't appear to indicate how. You may find that placing the chain certificate(s) at the end of the PEM to help.

Dan Carley
  • 25,189
  • 5
  • 52
  • 70
  • Thank you. Are one or multiple of those from the [here] link in my question the chain certificates? – xyz Aug 10 '09 at 21:25
  • Yep, should be one of those. You might find the output from `openssl x509 -issuer -noout < banana.crt` assists you in identifying which one specifically. – Dan Carley Aug 10 '09 at 21:30
0

Try generating the pem file using the openssl command.