Daniel Kahn Gillmor wrote: > On 03/27/2014 12:37 PM, Rob Stradling wrote: >> On 26/03/14 16:46, Daniel Kahn Gillmor wrote: <snip> >>> it doesn't even need to fetch the certificate itself, it could just make >>> the big noisy error log say "you >>> should fetch the cert from <AIAURL> and append it to >>> <SSLCertificateChainFile>" >> >> <AIAURL> is supposed to be DER-encoded rather than Base64-encoded, so the >> user would need to convert it using >> "openssl x509 -inform der -out" before appending it to >> <SSLCertificateChainFile>. >> >> <AIAURL> is sometimes a PKCS#7 "certs only" bundle of multiple certs, all >> issued to the same Subject CA. The >> certs can be extracted using "openssl pkcs7 -inform der -print_certs", but >> which one of those certs (if any) >> should the user append to <SSLCertificateChainFile> ? > > hm, that doesn't sound very user-friendly. > > Do we have a robust, free tool that, given a single X.509 EE cert, can do > automagic fetching and trying of all > combinations of these things and produce a reasonable PEM-encoded > SSLCertificateChainFile on stdout? > > If we had such a tool, then the detection code in mod_ssl could just > encourage people to run that tool.
How about not fixing stuff in mod_ssl but only create a patch for a support tool for httpd (like rotatelogs, etc.) that does check a cert chain and tries to create a correct one like outlined above such that the admin can take it after crosschecking and configure it just like today. Regards RĂ¼diger
