SSLCertificateChainFile vs SSLCACertificatePath

Jon Warbrick Fri, 26 Oct 2001 06:34:52 -0700

Forgive me if this is a FAQ, but I can't find it in the FAQ list or in
the mail archive.


The mod_ssl documentation says of SSLCertificateChainFile: "This should
be used alternatively and/or additionally to SSLCACertificatePath for
explicitly constructing the server certificate chain which is sent to
the browser in addition to the server certificate".

I have a server certificate from Globalsign which requires two further
certificates to link it to the root certificate that is installed in
most browsers. If I concatenate the PEM encoding of these certificates
into a file pointed to by SSLCertificateChainFile, and put the server
certificate into the file pointed to by SSLCertificateFile then
everything works.

However if I remove the reference to SSLCertificateChainFile, and point
SSLCACertificatePath at a directory containing the individual PEM
encoded certificates (along with the appropriate symlinks created with
the makefile) then it all fails with 'Certificate signer not recognised'
errors. Under these circumstances there is no evidence of the
appropriate chain getting served.

Is the documentation wrong in saying that SSLCertificateChainFile is an
alternative to SSLCACertificatePath for this purpose, or am I reading
it wrong wrong?

FYI, I'm using the current RedHat 7.0 apache/mod_ssl/OpenSSL which
appear to be:

"Apache/1.3.14 (Unix)  (Red-Hat/Linux) mod_ssl/2.7.1 OpenSSL/0.9.5a
mod_perl/1.24".

The SSL section of my working configuration file follows - commenting
out "SSLCertificateChainFile" causes connections to fail. Also below a
partial listing of /etc/httpd/conf/ssl.crt/ - the intermediate
certificates in question are in gs-primserver.crt and gs-server.crt.

Jon.

-- 
Jon Warbrick
Web/News Development, Computing Service, University of Cambridge

=====================================================================

<IfDefine HAVE_SSL>

SSLMutex sem
SSLSessionCache dbm:/var/run/http.sessioncache

Listen 443

<VirtualHost _default_:443>

DocumentRoot "/var/www/html"

SSLEngine on

SSLCertificateFile /etc/httpd/conf/ssl.crt/mnementh.csi.cam.ac.uk.globalsign.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mnementh.csi.cam.ac.uk.globalsign.key

SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gs-all.crt

SSLCACertificatePath /etc/httpd/conf/ssl.crt/

<Directory "/">
SSLRequireSSL
</Directory>

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

CustomLog /var/log/httpd/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b %{SSL_CLIENT_I_DN}x"

SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel trace

</VirtualHost>

</IfDefine>

==================================================================

lrwxrwxrwx    1 jw35     webadmin       19 Oct 26 13:47 0cf14d7d.0 -> 
snakeoil-ca-dsa.crt
lrwxrwxrwx    1 jw35     webadmin       16 Oct 26 13:47 5d8360e1.0 -> snakeoil-dsa.crt
lrwxrwxrwx    1 jw35     webadmin       10 Oct 26 13:47 72d31154.0 -> server.crt
lrwxrwxrwx    1 jw35     webadmin       17 Oct 26 13:47 76dbcc14.0 -> gs-primserver.crt
lrwxrwxrwx    1 jw35     webadmin       16 Oct 26 13:47 82ab5372.0 -> snakeoil-rsa.crt
lrwxrwxrwx    1 jw35     webadmin       37 Oct 26 13:47 91a0dc91.0 -> 
mnementh.csi.cam.ac.uk.globalsign.crt
-rw-rw-r--    1 root     webadmin     1522 Oct 18  2000 Makefile
-rw-rw-r--    1 root     webadmin     1386 Oct 18  2000 README.CRT
lrwxrwxrwx    1 jw35     webadmin       10 Oct 26 13:47 a4488fd7.0 -> gs-all.crt
lrwxrwxrwx    1 jw35     webadmin       13 Oct 26 13:47 a4488fd7.1 -> gs-server.crt
lrwxrwxrwx    1 jw35     webadmin       11 Oct 26 13:47 b0f3e76e.0 -> gs-root.crt
-rw-rw----    1 root     webadmin   242153 Oct 18  2000 ca-bundle.crt
lrwxrwxrwx    1 jw35     webadmin       19 Oct 26 13:47 e52d41d0.0 -> 
snakeoil-ca-rsa.crt
-rw-rw-r--    1 jw35     webadmin     2622 Oct 26 13:49 gs-all.crt
-rw-rw-r--    1 jw35     webadmin     1350 Oct 25 13:29 gs-primserver.crt
-rw-rw-r--    1 jw35     webadmin     1261 Oct 25 13:28 gs-root.crt
-rw-rw-r--    1 jw35     webadmin     1224 Oct 25 13:29 gs-server.crt
-rw-rw-r--    1 jw35     webadmin     1105 Oct 25 10:17 
mnementh.csi.cam.ac.uk.globalsign.crt
-rw-rw----    1 root     webadmin     1464 Dec 18  2000 server.crt
-rw-rw----    1 jw35     webadmin     3802 Dec 19  2000 servercert.pem
-rw-rw----    1 root     webadmin     1472 Oct 18  2000 snakeoil-ca-dsa.crt
-rw-rw----    1 root     webadmin     1192 Oct 18  2000 snakeoil-ca-rsa.crt
-rw-rw----    1 root     webadmin     1452 Oct 18  2000 snakeoil-dsa.crt
-rw-rw----    1 root     webadmin     1176 Oct 18  2000 snakeoil-rsa.crt



______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

SSLCertificateChainFile vs SSLCACertificatePath

Reply via email to