I am converting from a Verisign SSL Certificate to a Network Solutions EV SSL Cert on my site. My existing configuration uses the following directives:
SSLEngine on SSLCipherSuite ALL:!ADH:!EXP:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2 SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.cert SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key SSLCACertificateFile /etc/apache2/ssl.crt/my.blah.com.intermediate.crt In the Network Solutions instructions, it recommends using the following: SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.crt SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key SSLCertificateChainFile /etc/apache2/ssl.crt/Apache_Plesk_Install.txt In the http://httpd.apache.org/docs/2.0/mod/mod_ssl.html apache mod_ssl documentation , it states the following: SSLCertificateChainFile This should be used alternatively and/or additionally to SSLCACertificatePath for explicitly constructing the server certificate chain which is sent to the browser in addition to the server certificate. It is especially useful to avoid conflicts with CA certificates when using client authentication. Because although placing a CA certificate of the server certificate chain into SSLCACertificatePath has the same effect for the certificate chain construction, it has the side-effect that client certificates issued by this same CA certificate are also accepted on client authentication. Example: SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt SSLCACertificateFile This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with. These are used for Client Authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLCACertificatePath. Example SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt My question is... should I include both directives in my configuration? Is there an advantage to doing so? Now that I am upgrading, do I need to consider modification of my SSLCipherSuite setting? Any help would be appreciated. Thx. nt -- View this message in context: http://old.nabble.com/Which-SSL-Directives-to-use--tp27618358p27618358.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org
