On 2 Apr 2002, jon schatz wrote: > we had not chose to trust). geotrust had me install a CA cert on the > server and use 'SSLCACertificateFile' to point to it. magically, ie then > trusted the certificate. so why does this work? i mean, why can't i > start forging ssl certificates that are trusted by my own ca files that > i host locally? do browsers do any verification of ca files served up by > remote machines? feel free to point me to documentation on this one...
The difference is that the CA certificate they would have had you install (a) is signed by a CA that the browser *does* trust and (b) contains a flag saying "this certificate may be used to sign other certificates." SSLCertificateChainFile (and SSLCACertificateFile in this case) is all about establishing a chain of trust back to some entity (a root CA) that the browser does trust. Take a look at the CA certificate they gave you... it will have been signed by some root CA (is Thawte the only one that actually provides this service? Maybe Verisign does, I don't know.), and you'll see the special capabilities flags in there as well. --Cliff -------------------------------------------------------------- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]