On Thu, Aug 24, 2000, Bill Garrison wrote:
> On Tuesday, August 22, 2000, at 12:24 PM, Dan Mahoney wrote:
>
> > When I try to connect to https://www.lessonlink.com:8443 I get a
> > Netscape box telling me:
> > "www.lessonlink.com is a site that uses encryption to protect encrypted
> > information. However, Netscape does not recognize the authority who
> > signed its Certificate". This error message is coming from a Netscape
> > 4.75 browser running under Linux. I get a similar message trying to
> > access the site through a Mac running IE.
>
> >From the docs, I understand that the SSLCACertificateFile is supposed to
> point to a file containing the certificate of the CA that signed your
> server's certificate.
No, not really. It specifies the CA cert which signed _client_ certificates.
It's a directive for use with client authentication.
> If your certificate is signed by Verisign, you'll
> need a copy of their signing certificate.
Hmm.. no, not the server needs this Verisign cert, the client needs it. NS
4.75 certainly has the Verisign root CA certs, so the real problem seems to be
somewhere other. Can it be that the server cert is a Verisign Global ID? If
yes, then SSLCertificateChainFile has to point to the Verisign intermediate CA
cert.
> That said, I think that if you're not doing client authentication by
> certificate, then you don't need to include the SSLCACertificateFile at
> all.
Yes, correct.
> I'm justing using mod_ssl to encrypt sessions with my web server, so
> I don't have SSLCACertificate specified in my Apache conf; it's working
> just fine.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
