AnsweredAssumed Answered

Both RSA and ECDSA same server causing chain issues

Question asked by Michael Peters on Sep 14, 2015
Latest reply on Sep 15, 2015 by Michael Peters

SSL Server Test: 6969.us (Powered by Qualys SSL Labs)

 

There - the IPv4 uses RSA and gets A+ and the IPv6 uses ECDSA and gets A+

 

There is no chain issue.

 

But when I have both certificates - it appears to be doing right thing in client test (clients that support secp521r1 use ECDSA ciphers, others use aRSA ciphers) but the test complains about incomplete chain.

 

This is what I am doing to use both :

 

# ECDSA Certificate

SSLCertificateFile /etc/pki/tls/certs/6969.us-20150914-ECDSA.crt

SSLCACertificateFile /etc/pki/tls/certs/6969.us-chain-20150914-ECDSA.crt

SSLCertificateKeyFile /etc/pki/tls/private/6969.us-20150914-ECDSA.key

# RSA Certificate

SSLCertificateFile /etc/pki/tls/certs/6969.us-20150623-RSA.crt

SSLCACertificateFile /etc/pki/tls/certs/6969.us-chain-20150623-RSA.crt

SSLCertificateKeyFile /etc/pki/tls/private/6969.us-20150623-RSA.key

 

Apache 2.4.16

 

Right now in the linked test, the ECDSA are just commented out for IPv4 and the RSA are just commented out for IPv6 to demonstrate the chains are correct.

 

Is this a Qualys bug or am I not understanding how to do dual certificates?

Outcomes