httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Lars.Ove.Claes...@telenor.com>
Subject [users@httpd] SSL: Configuring CA Chains
Date Tue, 13 Oct 2009 14:31:39 GMT
Hi.

I'm trying to configure a set of CA Chains using the SSLCACertificatePath-parameter. I have
three separate chains, one for each Intermedia CA I have. All these chains have the same Root
CA.

I see a few things:

- When using SSLCACertificatePath, it seems like Apache is ignoring the verification depth.
This causes the verification to fail. When explicitly including one of the chains using SSLCACertificateFile,
verification is OK. For this reason, I know that the chain itself is valid.

- When using hash-links to each of the chains in the directory, I actually get each chain
loaded twice. Is Apache really using the symlink? It seems to me like it is completely capable
of reading all files in the directory without the symlinks.


I have now created a chain with all three intermediate CAs and the Root CA in one, and then
using SSLCACertificateFile. This actually works - but are there any issues with doing this?
The three intermediate CAs have no relevance to each other, and is it OK to include them all
in one chain file? When using openssl to dump the contents of the chain, it shows only the
first CA in the chain.


Kind regards,
Lars Ove Claesson

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message