Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 62354 invoked from network); 13 Mar 2011 15:44:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 13 Mar 2011 15:44:39 -0000 Received: (qmail 25356 invoked by uid 500); 13 Mar 2011 15:44:35 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 25290 invoked by uid 500); 13 Mar 2011 15:44:35 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 25282 invoked by uid 99); 13 Mar 2011 15:44:35 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 13 Mar 2011 15:44:35 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of hossy-apache@hossy.com designates 173.203.212.94 as permitted sender) Received: from [173.203.212.94] (HELO raynor.hossy.com) (173.203.212.94) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 13 Mar 2011 15:44:29 +0000 Received: from 99-136-82-68.lightspeed.rcsntx.sbcglobal.net ([99.136.82.68] helo=HossyFortress) by raynor.hossy.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1PynSi-0001bs-ID for users@httpd.apache.org; Sun, 13 Mar 2011 10:44:08 -0500 From: "Hossy" To: Date: Sun, 13 Mar 2011 10:44:06 -0500 Message-ID: <011601cbe195$7cc89d10$7659d730$@hossy.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: Acvhk4DW7gtm3sjBTmaUmmvvOdHJtQ== Content-Language: en-us X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - raynor.hossy.com X-AntiAbuse: Original Domain - httpd.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - hossy.com Subject: [users@httpd] SSL Directives I'm seeking validation on an issue I'm discussing regarding the use of the SSLCACertificateFile and SSLCertificateChainFile directives. What I'm trying to do: Install an SSL certificate on my web site (for use with HTTPS) and provide the certificate chain from the server. What I'm not trying to do: Allow web site users to authenticate to my site via their own certificates. I'm being told by cPanel/WHM support that the two directives can be used interchangeably when applying an SSL certificate to a site for Web Server Authentication for the purposes of returning the certificate chain. Even through the WHM interface, when it asks for the "ca bundle," it adds the SSLCACertificateFile directive to the httpd.conf for the resulting file. Through my testing with openssl s_client and http://www.sslshopper.com/ssl-checker.html, I'm seeing that when using the SSLCACertificateFile directive, only the server certificate is returned. However, when I change to the SSLCertificateChainFile directive, both the Intermediate and CA certificates are returned in addition to the server certificate. I'm reading through the documentation on mod_ssl (http://httpd.apache.org/docs/2.0/mod/mod_ssl.html) and under the SSLCertificateChainFile directive, it says, "This should be used alternatively and/or additionally to SSLCACertificatePath for explicitly constructing the server certificate chain which is sent to the browser in addition to the server certificate." And under SSLCACertificateFile, it says, "This can be used alternatively and/or additionally to SSLCACertificatePath." So I'm confused. Can anyone explain why using SSLCertificateChainFile causes the server certificate chain to be sent to the browser while using SSLCACertficateFile doesn't despite the apparent link in the documentation? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org