Environment:
Apache2 + OpenSSL

Setup:
1-Create Self Signed Root CA with CA.pl ("CA-Root.pl -newca")
2-run the script again to create a second Mid CA (self signed) ("CA.pl -newca")
  sign the Mid CA with the Root CA ("CA-Root.pl -signCA")
  (relpace the self signed cert with the Root CA signed)
3-create a CSR for web server ("CA.pl -newreq")
4-sign the CSR with Mid CA ("CA.pl -sign")
5-remove password from web server private key ("openssl rsa -in key -out key.pem")
6-copy cert.pem and key.pem to apache conf dir
  concate root and mid CA crtificate in one file (ca.crt) and copy to apache conf dir

7-setup ssl.conf:
SSLCertificateFile conf/ssl.crt/cert.pem
SSLCertificateKeyFile conf/ssl.key/key.pem
SSLCertificateChainFile conf/ssl.crt/ca.crt

8-restart apache
9-test with browsers

-IE7 -  warning, cert chain ok, install root cert, restart IE7, OK!
-Opera9 - warning, all certs in chain ok, install Root cert, OK!
-Firefox2 - ERROR -8182!
-SeaMonkey - ERROR!

WorkAround:
-Manual install (Root and) Mid CA certificate (from disk, http, ftp...) under Firefox, 
 restart firefox, connects fine, certificate ok, cert chain ok

10-reconfig ssl.conf:
#SSLCertificateChainFile conf/ssl.crt/ca.crt
# no cert chain !

11-restart apache, remove all installed certificates from browsers
12-test

IE7 - warning, no cert chain (ok)...
Firefox2 - warning, no cert chain 

Manual install Root to IE7, Root and Mid CA to Firefox2 and Restart them

IE7 - cert chain ok
Firefox2 - cert chain ok



13-reconfig ssl.conf:
SSLCertificateChainFile conf/ssl.crt/midca.crt
# only mid CA in chain

14-restart apache, remove all installed certificates from browsers
15-test

IE7 - warning, only root in cert chain (ok)...
Firefox2 - warning, only root in cert chain (ok)... 

Manual install Root to IE7 and Firefox2 and Restart them

Firefox2 - ERROR -8182!

firefox is Strange
if chain contains root and mid CA:
ERROR, you need to manually install CA certificates (fully trusted)
if no chain:
warning, you can manually install CA-s (fully trusted)
if chain contains only mid cert :
if no cert is installed warning, if root installed only ERROR, if (root and) mid CA is installed ok
if Mid CA is installed not fully trusted, and no root-> warning
 then intall root CA fully trusted -> ERROR
 if set mid CA fully trusted again -> ok
 root not full, mid full -> ok

So if chain contains Mid CA:

 if Mid CA installed fully trusted -> OK
 if root is installed (any way), (and mid is not installed, or not fully trusted) -> ERROR
 if root is not installed, (Mid CA is not installed, or not fully trusted) -> warning

IE and opera works in all cases.













