SSL Directives

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm seeking validation on an issue I'm discussing regarding the use of the
SSLCACertificateFile and SSLCertificateChainFile directives.

What I'm trying to do: Install an SSL certificate on my web site (for use
with HTTPS) and provide the certificate chain from the server.
What I'm not trying to do: Allow web site users to authenticate to my site
via their own certificates.

I'm being told by cPanel/WHM support that the two directives can be used
interchangeably when applying an SSL certificate to a site for Web Server
Authentication for the purposes of returning the certificate chain.  Even
through the WHM interface, when it asks for the "ca bundle," it adds the
SSLCACertificateFile directive to the httpd.conf for the resulting file.

Through my testing with openssl s_client and
http://www.sslshopper.com/ssl-checker.html, I'm seeing that when using the
SSLCACertificateFile directive, only the server certificate is returned.
However, when I change to the SSLCertificateChainFile directive, both the
Intermediate and CA certificates are returned in addition to the server
certificate.

I'm reading through the documentation on mod_ssl
(http://httpd.apache.org/docs/2.0/mod/mod_ssl.html) and under the
SSLCertificateChainFile directive, it says, "This should be used
alternatively and/or additionally to SSLCACertificatePath for explicitly
constructing the server certificate chain which is sent to the browser in
addition to the server certificate."  And under SSLCACertificateFile, it
says, "This can be used alternatively and/or additionally to
SSLCACertificatePath."  So I'm confused.

Can anyone explain why using SSLCertificateChainFile causes the server
certificate chain to be sent to the browser while using SSLCACertficateFile
doesn't despite the apparent link in the documentation?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux