Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 73649 invoked from network); 18 Nov 2010 17:07:15 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 18 Nov 2010 17:07:15 -0000 Received: (qmail 9461 invoked by uid 500); 18 Nov 2010 17:07:37 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 9360 invoked by uid 500); 18 Nov 2010 17:07:37 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 9352 invoked by uid 99); 18 Nov 2010 17:07:37 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Nov 2010 17:07:37 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=RFC_ABUSE_POST,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [198.102.62.103] (HELO Vail.esri.com) (198.102.62.103) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Nov 2010 17:07:31 +0000 Received: from leoray.esri.com (leoray.esri.com [10.27.102.12]) by Vail.esri.com (8.13.7+Sun/8.13.7) with ESMTP id oAIH7A48016392 for ; Thu, 18 Nov 2010 09:07:10 -0800 (PST) Received: from leoray.esri.com (leoray.esri.com [127.0.0.1]) by leoray.esri.com (8.14.4/8.14.3) with ESMTP id oAIH7965003366 for ; Thu, 18 Nov 2010 09:07:09 -0800 Received: (from ray5147@localhost) by leoray.esri.com (8.14.4/8.14.3/Submit) id oAIH79sT003364 for users@httpd.apache.org; Thu, 18 Nov 2010 09:07:09 -0800 X-Authentication-Warning: leoray.esri.com: ray5147 set sender to rvandolson@esri.com using -f Date: Thu, 18 Nov 2010 09:07:09 -0800 From: Ray Van Dolson To: users@httpd.apache.org Message-ID: <20101118170709.GA3209@esri.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Proper way to reference intermediate certificates in Apache 2.2.x I just updated a Verisign certificate for one of our sites, and noticed Firefox was complaining that it wasn't valid. This usually happens when Verisign's released a new intermediate certificate, and I typically just install the new one and point to it using SSLCACertificateFile. This time around, that didn't work. I RTFM and it seemed that SSLCACertificateFile had nothing at all to do with intermediate certs, and everything to do with client authentication, and that I _should_ be using SSLCertificateChainFile. Several posts[1][2] I stumbled across seemed to confirm this as well. I made the change in configuration directive, and sure enough, everything began working. Upon checking, I realized I have several other sites using SSLCACertificateFile to point to an (older) intermediate cert file from verisign. I'm curious why this works when it appears to be the wrong configuration directive for the job, but doesn't with the new intermediate cert file? [ One wrinkle is that with the newest intermediate cert from Verisign, they are actually providing a primary and secondary cert instead of just one. ] Using Apache 2.2.x. Thanks, Ray [1] http://httpd.markmail.org/thread/ip4oqm2ugbdhkdjx [2] http://httpd.markmail.org/thread/6bxoeyaykx4fvcp7 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org