I'd like to find out how many browsers reject our SSL certificate when making HTTP requests to our webserver. We're using a free CA which now seems to be recognised by most modern browsers, but I'd like to get some numbers without exhaustively testing combinations of browsers and operating systems.
I understand that the browser terminates the connection when certificate verification fails, so is there any way for Apache to detect this? I don't expect to get specific diagnostic information - just the fact that there was a certificate/SSL problem is enough.
The SSL protocol does indeed have an alert code for when the CA is unknown... you could detect it using something like tshark I suppose.
but more usefully is knowing how to avoid the problem. In Apache, make sure you have the following THREE directives:
The extensions given to the filenames don't really matter to Apache. In this case, the SSLCertificateFile will be a single X.509 certificate with the Subject of the server, and the SSLCertificateChainFile will be a concatenation of Intermediate and Root CA certificates (starting with the root first).
Here's a useful script for helping to explore certificate chains in PEM encoding.
(this particular script is also used for a particular XML application, which is what the sed bits near the start are meant to support; the interesting bits are done by gawk.)
Here's an example of how you can use it (such as to determine in the certificates in the CA bundle are in the right order -- sometimes this matters)
Notice how the issuer of one one certificate is adjacent to the subject of parent [immediately below]
Here's another example of how you can use that script, to inspect a local file.