Hi,

I don't immediately know what the problem is in your case, but here's a document I wrote some time ago about ssl cert chains and calendar server - maybe even during 10.6:

Background

Traditionally, a server's SSL certificate is signed by a well-known (root) certificate authority (CA). The signing CA is trusted (or not) by a client when the client consults the list of trusted root CA certs that is provided by Apple in every copy of Mac OS X. These trusted roots live in

/System/Library/Keychains/SystemRootCertificates.keychain

For a server using a SSL cert that is signed by a known authority, use of that cert is fairly straightforward: you provide the service the cert file and the corresponding private key file; when the client connects, the cert is validated against the client's list of trusted roots. It looks something like this:

Root CA |     << trust evaluation >>  [client's list of trusted roots]
        |
         \
          Server cert

In this configuration, the iCal Server config would contain something like shown below.


    <!-- Public key -->
    <key>SSLCertificate</key>
    <string>foo.com.crt</string>
    <!-- Private key -->
    <key>SSLPrivateKey</key>
    <string>foo.com.key</string>

But then...

For security reasons, CAs have recently begun to sign customer SSL certificates not with their root CA, but rather with an intermediate CA. An intermediate CA has a cert that was signed by the root CA. When the client tries to validate the server's cert, it checks to see that the signer (the intermediate CA) is trusted. This may be a problem, because the (newfangled) intermediate CA is typically NOT in the list of the client's trusted roots. This causes the client to throw warnings when connecting to the service over SSL.


Root CA |
        |
         \ 
          Intermediate CA |   << trust evaluation >>  [client's list of trusted roots]
                          |
                           \
                            Server cert

What Now?

Depends on who you ask. SSL is a rat's nest. For us (iCal Server), this means:


Constructing an SSLAuthorityChain file

The SSL authority chain file is literally a concatenation of the server cert, any intermediate cert, and then the root cert. Be sure to specify them in the correct order based on the trust hierarchy. The server cert should be the first cert in the file, and the root should be the last. Each of these certificates should be made available by the cert provider. A concatenated chain file might look something like:

-----BEGIN CERTIFICATE-----
MIIFTjCCBDagAwIBAgIFArzGF0MwDQYJKoZIhvcNAQEFBQAwgcoxCzAJBgNVBAYT
AlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRowGAYD
VQQKExFHb0RhZGR5LmNvbSwgSW5jLjEzMDEGA1UECxMqaHR0cDovL2NlcnRpZmlj
YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5MTAwLgYDVQQDEydHbyBEYWRkeSBT
ZWN1cmUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxETAPBgNVBAUTCDA3OTY5Mjg3
MB4XDTA5MDQwMjE5MDU1N1oXDTEwMDMyNDIwMTczN1owPTEhMB8GA1UECwwYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMRgwFgYDVQQDDA9zYWdlbi5hcHBsZS5jb20w
ggEmMA0GCSqGSIb3DQEBAQUAA4IBEwAwggEOAoIBAQCizqn8jXCu3etpiCgO2EK0
iBp+ka5uko9PxCe3ErdxJAxiICpZoJ4yzr1/7YBw4g9uznGztQYMzLCemEfU0Zku
yOBY2wdROv5M8+/QncE7lMHxWD0PeKGPw8hzNwz6d9K19+DcYWP/gS/Ejwym8tSs
WcTORqqJfLNeiH8UVBPExF8MnJZBOrVzQs6cWS0wn0/1JVL9hA6MACyY0X5LFcPB
x8nZKZI5nvoCqZAs5CWJHf7oLJG8qTpDH4UnJnStp49FK8w1Z9y8XnujgrSVtnpE
GhkAAmAq4LLYJJrwME4kSilHaLrAIsbNPe9IdPeGEdKeHlzo8hespHmebt/xwOdZ
AgcBAAEAAQABo4IBwTCCAb0wDwYDVR0TAQH/BAUwAwEBADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2RzMS0zLmNybDBTBgNVHSAETDBK
MEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0
ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wgYAGCCsGAQUFBwEBBHQwcjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEoGCCsGAQUFBzAChj5o
dHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RfaW50
ZXJtZWRpYXRlLmNydDAfBgNVHSMEGDAWgBT9rGEyk2xF1uLuhV+auud2mWjM5zAv
BgNVHREEKDAmgg9zYWdlbi5hcHBsZS5jb22CE3d3dy5zYWdlbi5hcHBsZS5jb20w
HQYDVR0OBBYEFE29F4wllnd5DUwh/XOkM4k71D3uMA0GCSqGSIb3DQEBBQUAA4IB
AQAeHt2N7bHjph/sdtCxE1PhYwWSbxynsMGotpCAiJ1zYYbGlQR4l8uKZusbF8VU
BBcf6VIMqODbCQopzXtzlxvyNPiVWKnWLyHidqXuoAN5oe6qznUDgtxt1kZ/Lduc
+DkFwfsk4mix2EH0ExTPxXpVg0+ML8janhkBlzk4c3vH619hJRvnkVRypH9lL7m/
mM6Ln69n/IWtzWxTC+tHDJ9iqxaG2Eym2apaXdrFNDTLWD08zsO/8DpPnQ3BvG0d
VFxEvQP/goJcKtH/bxUkYqjpHOZirq+6wmXSN6l1SFdXyxwI2ih9GIY6VFDYuxyT
mn1MH/O+DVYluXyCO2OaF07X
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMTYw
MTU0MzdaFw0yNjExMTYwMTU0MzdaMIHKMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH
QXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5j
b20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5j
b20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFkZHkgU2VjdXJlIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMQt1RWMnCZM7DI161+4WQFapmGBWTtwY6vj3D3H
KrjJM9N55DrtPDAjhI6zMBS2sofDPZVUBJ7fmd0LJR4h3mUpfjWoqVTr9vcyOdQm
VZWt7/v+WIbXnvQAjYwqDL1CBM6nPwT27oDyqu9SoWlm2r4arV3aLGbqGmu75RpR
SgAvSMeYddi5Kcju+GZtCpyz8/x4fKL4o/K1w/O5epHBp+YlLpyo7RJlbmr2EkRT
cDCVw5wrWCs9CHRK8r5RsL+H0EwnWGu1NcWdrxcx+AuP7q2BNgWJCJjPOq8lh8BJ
6qf9Z/dFjpfMFDniNoW1fho3/Rb2cRGadDAW/hOUoz+EDU8CAwEAAaOCATIwggEu
MB0GA1UdDgQWBBT9rGEyk2xF1uLuhV+auud2mWjM5zAfBgNVHSMEGDAWgBTSxLDS
kdRMEXGzYcs9of7dqGrU4zASBgNVHRMBAf8ECDAGAQH/AgEAMDMGCCsGAQUFBwEB
BCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZ29kYWRkeS5jb20wRgYDVR0f
BD8wPTA7oDmgN4Y1aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv
c2l0b3J5L2dkcm9vdC5jcmwwSwYDVR0gBEQwQjBABgRVHSAAMDgwNgYIKwYBBQUH
AgEWKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTAO
BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBANKGwOy9+aG2Z+5mC6IG
OgRQjhVyrEp0lVPLN8tESe8HkGsz2ZbwlFalEzAFPIUyIXvJxwqoJKSQ3kbTJSMU
A2fCENZvD117esyfxVgqwcSeIaha86ykRvOe5GPLL5CkKSkB2XIsKd83ASe8T+5o
0yGPwLPk9Qnt0hCqU7S+8MxZC9Y7lhyVJEnfzuz9p0iRFEUOOjZv2kWzRaJBydTX
RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH
qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV
U+4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----

Configure SSLAuthorityChain in caldavd.plist

This part is pretty easy. Just add the following stanza to the config file:

    <!-- SSL Authority Chain File -->
    <key>SSLAuthorityChain</key>
    <string>foo.com.chcrt</string>

We use 'chcrt' to denote 'chain cert', which is the concatenated representation of the authority chain from server to root.


Errata

Odds and ends that may be useful in configuring or troubleshooting this stuff

Show cert details

In particular, two important attributes you'll see here are Issuer and Subject. Issuer identifies the CA that signed this cert, and subject identifies the owner of this cert. This is useful to verify the order of the certs in the chain file.
openssl x509 -text -in foo.crt

Examine a keychain's contents

sudo security dump-keychain /System/Library/Keychains SystemRootCertificates.keychain | grep alis

Remove a trusted cert from Keychain

Sadly, this works on 10.5.8 and later, but not 10.5.7. The argument after -c is the name of the cert, which is shown on the 'alis' line of the dump-keychain output.
sudo security delete-certificate -c "Entrust Certification Authority - L1B" /Library/Keychains/System.keychain

Validate the SSL cert chain of a running service

Remember that each cert can be decoded if necessary; see above.
openssl s_client -showcerts -connect foo.apple.com:8443

On Feb 9, 2014, at 6:41 AM, Pascal Dallaire <pascaldallaire@cre-gim.net> wrote:

Hello to the list,

Running CalendarServer 4.2 on Snow Leopard, using the supplied SSL certificates that’s self-signed and expired. I tried to change to a CA certificate with information in plist about SSLCertificate, SSLAuthorityChain and SSLPrivateKey. The exact same files work a charm in Apache, but when trying in CalendarServer, I get an SSL handshake error :
-----
openssl s_client -connect mycalserver:8443
CONNECTED(00000003)
45947:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_lib.c:182:
-----
openssl s_client -connect mycalserver:8443 -servername realnameofcalserver
CONNECTED(00000003)
45960:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_clnt.c:602:
-----
I don’t know the problem here… This certificate was issued with a CSR made from the default OpenSSL on Snow Leopard (0.98r)

Thanks whoever who could help
Pascal
_______________________________________________
calendarserver-users mailing list
calendarserver-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/calendarserver-users