Defining the Problem

I encountered a peculiar problem with my signed SSL certificates the other day. In the latest versions of Firefox and Chrome, the SSL certificate was being trusted and worked just fine. However, in Chrome in iPad (and likely other browsers with similarly limited capabilities), the certificate was deemed "untrusted."

I ran an SSL Test on the domain with which I was having the problem. This yielded a bit of very useful information:

Chain issues     Incomplete

This gave me what I needed to further debug the problem. I discovered that I needed to have the server send a Certificate Chain with the initial SSL hand shake in order for browsers that do not support "certificate discovery" to find the root certificate.

For additional information, see:

Intermediate Certificate Authorities

Fixing the Problem

First, you will need to search your CA's website to download their Intermediate CA file. This file will contain the concatenated chain of trusted CA certificates needed to reach the root certificate. Once you find and download the chain file, you will need to upload it to your server. Here's a list of Intermediate CA files for different Certificate Authorities:

RapidSSL

For simplicity's sake, you will probably want to put the file in the same directory as your signed SSL certificate. Now you will need to configure your virtual host to send this chain file in its initial response for a hand shake.

If you're using the default virtual host for port 443, edit the following line:

#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

Uncomment the line and have it reference the path to the chain file you just uploaded to the server:

SSLCACertificateFile /etc/apache2/path/to/chain/file

Restart Apache.

Is the Problem Fixed?

Run the SSL Test again. If all is well, the chain issue should be resolved. If not, you can further debug the problem by using the following command in a terminal window on your personal computer (not on the server with the SSL issue):

openssl s_client -showcerts -verify 32 -connect domain-name:443

You will need to have openssl installed to run this command

Be sure to replace domain-name with the domain that is having the SSL issue

The output of this command is quite dense and can be difficult to sort through. You will want to first find the top of the output, and then search for something like this:

verify error:num=20:unable to get local issuer certificate