Custom SSL certificate with more than two intermediate CAs

[Nacho Coloma]

Hi, I have just configured a certificate for our own custom domain (VIP) and it is working fine, but Android browsers are rejecting to connect. 

Investigating, it seems that I should include the full chain of intermediate CAs to the uploaded PEM file, but that's not possible since AppEngine only allows at most two certificates in the PEM file. Our Comodo certificate has a chain composed of five CAs. If I try to upload the full PEM file, AppEngine complains that the format is not supported.

The working certificate can be seen at https://koliseo.com. You can test it with:

openssl s_client -showcerts -connect www.koliseo.com:443

Desktop browsers are OK with it, but Android (Froyo and Honeycomb) will just refuse to connect. Any ideas?

[Cayden Meyer]

Hi Nacho,

You appear to have the incorrect CNAME for your domain. This is most probably what is causing android browsers to fail to connect. The correct CNAME can be found in your Google Apps control panel. The uploading and configuring certificates section of the SSL for Custom Domains documentation may prove helpful if you have any issues. 

On the topic of intermediate certificates you should be able to download a single intermediate certificate from Comodo here. Usually certificate authorities provide a bundle file which contains the full chain, all the certificates in the bundle are often not required. 

Regards,

Cayden Meyer

Product Manager, Google App Engine

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/AvvSXY6BrugJ.
To post to this group, send email to google-a...@googlegroups.com.
To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.

[Nacho Coloma]

Hi Cayden,

Thanks for your reply.

You appear to have the incorrect CNAME for your domain. This is most probably what is causing android browsers to fail to connect. The correct CNAME can be found in your Google Apps control panel. The uploading and configuring certificates section of the SSL for Custom Domains documentation may prove helpful if you have any issues. 

Yep, I saw the change of ghs name but since neither certificate was working we are just stopping this (with this working configuration) until our new certificate arrives. 

We just purchased a new one with DigiCert that includes EV validation and uses (supposedly, as far as we could check) a single intermediate authority.

On the topic of intermediate certificates you should be able to download a single intermediate certificate from Comodo here. Usually certificate authorities provide a bundle file which contains the full chain, all the certificates in the bundle are often not required. 

Ours is (was) a Comodo EssentialSSL. It comes with 5 CAs in the bundle, and AFAIK most browsers require the chain up to the root CA.

Don't worry about this, the change of certificate should fix it up. Anyway, I would reconsider the limitation of two CAs in the PEM bundle, if that's an option. Anyway, it's just my fault for not fully understanding the limitations before choosing the certificate provider. Thank God for the 15-days refund policy.

Thanks for your support.

[johnP]

Are you using a VIP certificate?  If so, you need to change the cname, as Cayden said.  The ghs cname does not support VIP -  SNI only.  

[Cayden Meyer]

Just updating this thread. We have added support for up to 5 chained/intermediate certificates. Users of Comodo and other CAs which require more than 2 chained/intermediate certificates can now append the CA provided bundles/intermediate certificates to their uploaded certificate. 

Cheers,

Cayden Meyer

Product Manager, Google App Engine

[Gopal Patel]

newbie here.

my ca provide 3 .crt format certificates.

and I am allowed to upload only one pem via google apps ssl tab. 

one is sslca.crt, another is addexternalcaroot.crt and one is mywebsite.crt

I converted mywebsite.crt to pem and uploaded and it works with SNI.

what do I need to do with other too ?

[Gopal Patel]

it says invalid key when trying with combined crt, it work with single crt.

On Wed, Sep 26, 2012 at 8:17 AM, Ivan Volosyuk <v...@google.com> wrote:

You may want to concatenate the files into your certificate.pem for extra compatibility with various browsers.

To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/3s5DGFtep_8J.

[Timofey Koolin]

You must convert all in PEM, than open each of they in text editor and copy all content into one file.

[Gopal Patel]

Thanks. Did it. Worked Great.