httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ray Van Dolson <rvandol...@esri.com>
Subject [users@httpd] Proper way to reference intermediate certificates in Apache 2.2.x
Date Thu, 18 Nov 2010 17:07:09 GMT
I just updated a Verisign certificate for one of our sites, and noticed
Firefox was complaining that it wasn't valid.  This usually happens
when Verisign's released a new intermediate certificate, and I
typically just install the new one and point to it using
SSLCACertificateFile.

This time around, that didn't work.

I RTFM and it seemed that SSLCACertificateFile had nothing at all to do
with intermediate certs, and everything to do with client
authentication, and that I _should_ be using SSLCertificateChainFile.
Several posts[1][2] I stumbled across seemed to confirm this as well.
I made the change in configuration directive, and sure enough,
everything began working.

Upon checking, I realized I have several other sites using
SSLCACertificateFile to point to an (older) intermediate cert file from
verisign.  I'm curious why this works when it appears to be the wrong
configuration directive for the job, but doesn't with the new
intermediate cert file?

[ One wrinkle is that with the newest intermediate cert from Verisign,
  they are actually providing a primary and secondary cert instead of
  just one. ]

Using Apache 2.2.x.

Thanks,
Ray

[1] http://httpd.markmail.org/thread/ip4oqm2ugbdhkdjx
[2] http://httpd.markmail.org/thread/6bxoeyaykx4fvcp7

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message