httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Sylvester <peter.sylves...@edelweb.fr>
Subject Re: Certificate chain order not conform to TLS standard
Date Thu, 13 Aug 2009 08:51:25 GMT
Plüm, Rüdiger, VF-Group wrote:
>  
>
>   
>> -----Original Message-----
>> From: Nick Gearls [mailto:nickgearls@gmail.com] 
>> Sent: Donnerstag, 13. August 2009 08:51
>> To: dev@httpd.apache.org
>> Subject: Re: Certificate chain order not conform to TLS standard
>>
>> I tried both order:
>>
>> 	 SSLCertificateFile       conf/ssl/server.pem
>> 	 SSLCertificateChainFile  conf/ssl/chain.pem
>>
>> where server.pem contains both the cert and the private key,
>> and chain.pem contains either CA/root or root/CA
>>     
>
> Don't put the root cert in the chain file, only the intermediate certs.
>
>
> Regards
>
> Rüdiger
>   
leaving the a self signed root should not be a problem:

     This is a sequence (chain) of X.509v3 certificates.  The sender's
      certificate must come first in the list.  Each following
      certificate must directly certify the one preceding it.  Because
      certificate validation requires that root keys be distributed
      independently, the self-signed certificate that specifies the root
      certificate authority may optionally be omitted from the chain,


/P


Mime
View raw message