On Mon, Jan 11, 1999, [EMAIL PROTECTED] wrote:
> Can mod_ssl be configured (and if so, how) to send a server
> certificate chain consisting not only of a the server certificate,
> but also of the corresponding CA certificate(s)? That way, sane
> browsers can ask the user to check just the highest-level
> certificicate (i.e., its fingerprint); but the user will not be
> bothered with the site certificate's fingerprints, which is the point
> in building a CA. Of course, the user could first download the CA
> certificate from a non-SSL site before visiting one of the sites that
> are certified by that CA; but it should be possible to avoid that
> additional step (in settings where the extra network traffic is not a
> crucial issue).
Yes, just configure the CA certificates with either SSLCACertificateFile
and/or SSLCACertificatePath. Although they are "officially" used by SSLeay for
certificate verification only, they are also implicitly used to send out the
server certificate chain. At least this was the case for me a few months ago
when I traced down the material which went over the network together with the
server certificate.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
