Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7D76C10589 for ; Wed, 9 Oct 2013 12:33:28 +0000 (UTC) Received: (qmail 33237 invoked by uid 500); 9 Oct 2013 12:33:23 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 33225 invoked by uid 500); 9 Oct 2013 12:33:23 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 33215 invoked by uid 99); 9 Oct 2013 12:33:22 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Oct 2013 12:33:22 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of Roman.Fiedler@ait.ac.at designates 62.218.164.132 as permitted sender) Received: from [62.218.164.132] (HELO MX2.ait.ac.at) (62.218.164.132) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Oct 2013 12:33:18 +0000 Received: from pps.filterd (MX2 [127.0.0.1]) by MX2.ait.ac.at (8.14.5/8.14.5) with SMTP id r99CWJLZ017561; Wed, 9 Oct 2013 14:32:54 +0200 Received: from mail.ait.ac.at ([172.30.249.111]) by MX2.ait.ac.at with ESMTP id 1f77swcxff-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 09 Oct 2013 14:32:54 +0200 Received: from S0MSMAIL112.arc.local ([fe80::21c5:500c:ccf2:8b91]) by S0MSMAIL111.arc.local ([fe80::15d2:6d5:afe6:87a1%24]) with mapi id 14.02.0318.004; Wed, 9 Oct 2013 14:32:54 +0200 From: Fiedler Roman To: Robin Becker , "users@httpd.apache.org" Thread-Topic: AW: [users@httpd] ssl setup checking Thread-Index: AQHOxOSixMFl3joYok6rCOSGjVHayZnsSGyg///hzACAACJp8A== Date: Wed, 9 Oct 2013 12:32:53 +0000 Message-ID: <2ECE9D9EEF1F524185270138AE2326593BF71080@S0MSMAIL112.arc.local> References: <52527D46.1080607@chamonix.reportlab.co.uk> <52554104.6040906@chamonix.reportlab.co.uk> <2ECE9D9EEF1F524185270138AE2326593BF71022@S0MSMAIL112.arc.local> <52554B70.20401@chamonix.reportlab.co.uk> In-Reply-To: <52554B70.20401@chamonix.reportlab.co.uk> Accept-Language: en-US, de-AT Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.180.51] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794,1.0.431,0.0.0000 definitions=2013-10-09_03:2013-10-09,2013-10-09,1970-01-01 signatures=0 X-Virus-Checked: Checked by ClamAV on apache.org Subject: AW: AW: [users@httpd] ssl setup checking > Von: Robin Becker [mailto:robin@reportlab.com] >=20 > On 09/10/2013 13:15, Fiedler Roman wrote: > .......... > > > > Unless you want to use client certificates from globalsign, > "SSLCACertificateFile" will not make sense. See [1] > > > > Roman > > > > [1] > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile > .......... >=20 > This page https://support.globalsign.com/customer/portal/articles/1225234 > says > explicitly that I need the SSLCACertificateFile directive Strange, perhaps I misread the configuration or this is just required so th= at NSA can login if you happen to want to use client-certificates also. > > Your virtual host section will need to contain the following directives= : > > > > SSLCACertificateFile - This will need to point to the appropriate > GlobalSign root CA certificate. > > SSLCertificateChainFile - This will need to point to the appropriat= e > intermediate root CA certificates you previously created in Step 1 above. > > SSLCertificateFile - This will need to point to the end entity cert= ificate. > This is the certificate you have called "mydomain.crt." > > SSLCertificateKeyFile - This will need to point to the private key = file > associated with your certificate. >=20 > what I don't understand is where the cross certificate goes. I've just put all chain certificates into " SSLCertificateChainFile", nothi= ng else was required on apache2.2. But we had problems with some clients, t= hat still did not want to accept the chain, mostly on mobile devices. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org