httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kbr...@apache.org
Subject svn commit: r1553825 - /httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
Date Sat, 28 Dec 2013 13:28:05 GMT
Author: kbrand
Date: Sat Dec 28 13:28:05 2013
New Revision: 1553825

URL: http://svn.apache.org/r1553825
Log:
update transformation

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en?rev=1553825&r1=1553824&r2=1553825&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en Sat Dec 28 13:28:05 2013
@@ -529,6 +529,14 @@ SSLCARevocationPath /usr/local/apache2/c
 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
 </table>
+<div class="note"><h3>SSLCertificateChainFile is deprecated</h3>
+<p><code>SSLCertificateChainFile</code> became obsolete with version
+2.5.0-dev as of 2013-12-28, when
+<code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>
+was extended to also load intermediate CA certificates from the server
+certificate file.</p>
+</div>
+
 <p>
 This directive sets the optional <em>all-in-one</em> file where you can
 assemble the certificates of Certification Authorities (CA) which form the
@@ -561,25 +569,44 @@ SSLCertificateChainFile /usr/local/apach
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div>
 <div class="directive-section"><h2><a name="SSLCertificateFile" id="SSLCertificateFile">SSLCertificateFile</a>
<a name="sslcertificatefile" id="sslcertificatefile">Directive</a></h2>
 <table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server
PEM-encoded X.509 Certificate file</td></tr>
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server
PEM-encoded X.509 certificate data file</td></tr>
 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateFile
<em>file-path</em></code></td></tr>
 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server
config, virtual host</td></tr>
 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
 </table>
 <p>
-This directive points to the file with the PEM-encoded certificate,
-optionally also the corresponding private key, and - beginning with
-version 2.5.0-dev as of 2013-09-29 - DH parameters and/or an EC curve name
-for ephemeral keys (as generated by <code>openssl dhparam</code>
-and <code>openssl ecparam</code>, respectively). If the private key
-is encrypted, the pass phrase dialog is forced at startup time.
+This directive points to a file with certificate data in PEM format.
+At a minimum, the file must include an end-entity (leaf) certificate.
+Beginning with version 2.5.0-dev as of 2013-12-28, it may also
+include intermediate CA certificates, sorted from leaf to root,
+and obsoletes <code class="directive"><a href="#sslcertificatechainfile">SSLCertificateChainFile</a></code>.
 </p>
+
 <p>
-This directive can be used up to three times (referencing different filenames)
-when both an RSA, a DSA, and an ECC based server certificate is used in
-parallel. Note that DH and ECDH parameters are only read from the first
-<code class="directive">SSLCertificateFile</code> directive.</p>
+Additional optional elements are DH parameters and/or an EC curve name
+for ephemeral keys, as generated by <code>openssl dhparam</code> and
+<code>openssl ecparam</code>, respectively (supported in version 2.5.0-dev
+as of 2013-09-29), and finally, the end-entity certificate's private key.
+If the private key is encrypted, the pass phrase dialog is forced
+at startup time.</p>
+
+<p>
+This directive can be used multiple times (referencing different filenames)
+to support multiple algorithms for server authentication - typically
+RSA, DSA, and ECC. The number of supported algorithms depends on the
+OpenSSL version being used for mod_ssl: with version 1.0.0 or later,
+<code>openssl list-public-key-algorithms</code> will output a list
+of supported algorithms.</p>
+
+<p>
+When running with OpenSSL 1.0.2 or later, this directive allows
+to configure the intermediate CA chain on a per-certificate basis,
+which removes a limitation of the (now obsolete)
+<code class="directive"><a href="#sslcertificatechainfile">SSLCertificateChainFile</a></code>
directive.
+DH and ECDH parameters, however, are only read from the first
+<code class="directive">SSLCertificateFile</code> directive, as they
+are applied independently of the authentication algorithm type.</p>
 
 <div class="note">
 <h3>DH parameter interoperability with primes &gt; 1024 bit</h3>
@@ -604,25 +631,26 @@ SSLCertificateFile /usr/local/apache2/co
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div>
 <div class="directive-section"><h2><a name="SSLCertificateKeyFile" id="SSLCertificateKeyFile">SSLCertificateKeyFile</a>
<a name="sslcertificatekeyfile" id="sslcertificatekeyfile">Directive</a></h2>
 <table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server
PEM-encoded Private Key file</td></tr>
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server
PEM-encoded private key file</td></tr>
 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateKeyFile
<em>file-path</em></code></td></tr>
 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server
config, virtual host</td></tr>
 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
 </table>
 <p>
-This directive points to the PEM-encoded Private Key file for the
-server. If the Private Key is not combined with the Certificate in the
-<code class="directive">SSLCertificateFile</code>, use this additional directive
to
-point to the file with the stand-alone Private Key. When
-<code class="directive">SSLCertificateFile</code> is used and the file
-contains both the Certificate and the Private Key this directive need
-not be used. But we strongly discourage this practice.  Instead we
-recommend you to separate the Certificate and the Private Key. If the
-contained Private Key is encrypted, the Pass Phrase dialog is forced
-at startup time. This directive can be used up to three times
-(referencing different filenames) when both a RSA, a DSA, and an ECC based
-private key is used in parallel.</p>
+This directive points to the PEM-encoded private key file for the
+server (the private key may also be combined with the certificate in the
+<code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>,
but this practice
+is discouraged). If the contained private key is encrypted, the pass phrase
+dialog is forced at startup time.</p>
+
+<p>
+The directive can be used multiple times (referencing different filenames)
+to support multiple algorithms for server authentication. For each
+<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>
+directive, there must be a matching <code class="directive">SSLCertificateFile</code>
+directive.</p>
+
 <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
 SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
 </pre>



Mime
View raw message