Thawte recently started issuing a new kind of SSL cert. Instead of just taking your crt and key files and dumping them on your server, you need to install Thawte’s intermediate certificates as well. There are plenty of fine articles about why this is a good idea. Those articles are only useful after you realize that a thing such as a chained cert exists and that your IT guy has given you one. And nginx does not appear in the server matrix; bless the guy that wrote this article or I’d still be in the weeds.

Debugging why your brand new cert isn’t working isn’t fun. While you can typically find a lock icon (top right bezel in Safari, lower right on Firefox) that will show some information about the current certificate, Thawte hosts a java applet that gives full information about the entire certificate chain. This should work for sites using certs from any vendor, not just their certs.

Some questions I asked myself during this process:

Is the cert my IT guy forwarded to me corrupted because his Windows email program is completely retarded?

$ openssl asn1parse -inform der -in my_site.p12.corrupt 
 0:d=0  hl=4 l=1873 cons: SEQUENCE          
 4:d=1  hl=2 l=   1 prim: INTEGER           :03
 7:d=1  hl=4 l=1815 cons: SEQUENCE          
 11:d=2  hl=2 l=   9 prim: OBJECT            :pkcs7-data
 22:d=2  hl=4 l=1800 cons: cont [ 0 ]        
 26:d=3  hl=4 l=1796 prim: OCTET STRING      [HEX DUMP]:30820700
[...]
Error in encoding
54368:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150:

Right. Let’s fix that.

$ irb
irb(main):001:0> p12 = File.read('my_server.p12.corrupt')
irb(main):002:0> fixed = p12.gsub("\r\n", "\n")
irb(main):003:0> File.open('my_server.p12.fixed', 'w'){|f| f.write(fixed)}

So much for DOS. Now, let’s turn the thing into a sensible format for a proper Russian web server.

openssl pkcs12 -in my_server.p12.fixed -out my_server.pem

I didn’t see an option to neatly separate the certificate and key into separate files directly from openssl; you’ll need to open up the pem file in your preferred text editor and create a .crt and .key file from the contents.

Now, here is the “tricky” part. You need to include the intermediate certificate(s) in your .crt file. Your certificate must must must be the first certificate in the amalgamated file. If you have some idiotic idea like me that the hierarchy would imply that the Thawte intermediate CA certs should go prepare the way for your cert that was signed/generated/what-have-you from them, then let me assure you that you are wrong, and the error you get from the browsers will not help you much. Now, proceed to configure your SSL certs in nginx the way you always did, and you should be good to go.

Advertisements