...
Be wary of using a browser to test your server configuration. Some browsers (such as Firefox) will store intermediate CA certificates received from a server in the browser's certificate store, so unless you're careful, you may be tricked into believing your server is configured correctly when in fact it's not. To avoid this pitfall, use openssl
to definitively test your server configuration:
Pre |
---|
openssl |
Wiki Markup |
{pre}openssl s_client -connect server:port -CApath /etc/ssl/certs/ {pre} |
If the client machine does not have an /etc/ssl/certs/ directory, download the AddTrust External CA Root certificate, and try the following command instead:
Pre |
---|
openssl |
Wiki Markup |
{pre}openssl s_client -connect server:port -CAfile AddTrustExternalCARoot.crt {pre} |
In either case, if certificate validation succeeds, you know your server is configured correctly. Let's try a specific example:
...