[Bug 66474] New: mod_ssl SSLCertificate[Key]File Directives description unclear regarding combined public/private files

Fri, 10 Feb 2023 14:48:32 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=66474

            Bug ID: 66474
           Summary: mod_ssl SSLCertificate[Key]File Directives description
                    unclear regarding combined public/private files
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Documentation
          Assignee: docs@httpd.apache.org
          Reporter: chea...@gmail.com
  Target Milestone: ---

The documentation of mod_ssl's SSLCertificateFile Directive contains the
following paragraph:
Finally the end-entity certificate's private key can also be added to the
certificate file instead of using a separate SSLCertificateKeyFile directive.
This practice is highly discouraged. If it is used, the certificate files using
such an embedded key must be configured after the certificates using a separate
key file. If the private key is encrypted, the pass phrase dialog is forced at
startup time.

SSLCertificateKeyFile's contains a similar paragraph:
The private key may also be combined with the certificate in the file given by
SSLCertificateFile, but this practice is highly discouraged. If it is used, the
certificate files using such an embedded key must be configured after the
certificates using a separate key file.

These paragraphs are both unclear about the reason why the mentioned practice
is highly discouraged. According to what Lucien Gentis wrote in ticket #66384,
the constraint mentioned is that directives cannot be freely ordered when such
directives are used.

Please clarify the constraint and explain why the practice is discouraged. I
suggest to replace SSLCertificateKeyFile's paragraph with:
The private key may also be combined with the certificate in the file given by
SSLCertificateFile, but this practice is highly discouraged. If it is used, the
directives with certificate files using such an embedded key must follow
directives with certificates using a separate key file.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org
For additional commands, e-mail: docs-h...@httpd.apache.org

Reply via email to