[users@httpd] Configuring SSLCACertificatePath in httpd-ssl.conf

[Christopher Johnson <co...@gmail.com>]

Hello,

I have a bunch of CA's that I need to configure.  I have everything setup
correctly in the httpd-ssl.conf file referencing where my CA's are located.
The issue is from what I have read these need to be symlinked to work in
linux.  Is that the case?  How do i do it?  I haven't seen much
documentation on how it's supposed to be setup.

Thanks,

Chris Johnson

Re: [users@httpd] Configuring SSLCACertificatePath in httpd-ssl.conf

[Mark Montague <ma...@catseye.org>]

On July 19, 2011 10:16 , Christopher Johnson <co...@gmail.com> wrote:
> I have a bunch of CA's that I need to configure.  I have everything 
> setup correctly in the httpd-ssl.conf file referencing where my CA's 
> are located.  The issue is from what I have read these need to be 
> symlinked to work in linux.  Is that the case?  How do i do it?  I 
> haven't seen much documentation on how it's supposed to be setup.

Symbolic links are not important, in and of themselves. What is 
important is that the CA certificates can be found.  There are several 
ways to accomplish this.

mod_ssl (a part of Apache HTTP Server) uses OpenSSL for handling 
certificates and Certificate Authorities (CA).  OpenSSL, in turn, needs 
to be able to find the Certificate Authority certificates when it is 
presented with a certificate that it needs to verify.  There are three 
main ways for OpenSSL to find Certificate Authority certificates:

1. If you are configuring the CA certificate that was used to sign the 
certificate used by your server, then store the CA certificate in a file 
by itself and use the SSLCertificateChainFile directive to have mod_ssl 
tell OpenSSL name of this file.  You do not need to do anything beyond this.

If you are using certificate for client authentication (that is, 
certificates supplied by users' web browsers to the web server to prove 
the users' identities), or if you are proxying content and using 
certificates to verify the identities of the various front-end and 
back-end servers involved, then...

2. All CA certificates can be concatenated into a single file, and 
mod_ssl can give OpenSSL the name of this file (see the documentation 
for the SSLCACertificateFile, SSLProxyCACertificateFile, and 
SSLProxyMachineCertificateFile directives).  This is easy to configure, 
but it can be difficult or error-prone to add, replace, or remove CA 
certificates in this file, especially as the number of CAs gets large.  Or,

3. All CA certificates can be stored in a single directory, with each CA 
certificate having its own file in the directory.  mod_ssl gives OpenSSL 
the path to this directory (see the documentation for the 
SSLCACertificatePath, SSLProxyCACertificatePath, and 
SSLProxyMachineCertificatePath directives).  Since it would be 
inefficient (especially when there are a large number of CAs) for 
OpenSSL to open and read every file in the directory every time it needs 
to find a CA certificate, OpenSSL expects to have each file be named 
with the hash of the CA certificate that is in it, followed by a period 
and a serial number that starts at 0 and gets incremented for each file 
containing a certificate that has the same hash.  If OpenSSL gets a 
certificate that it needs to verify, signed by a CA certificate with 
hash 3f77a2b5, then it will look first in the file 3f77a2b5.0 and if the 
certificate in that file is not the one used to sign the certificate 
that is being verified, it will then look in the files 3f77a2b5.1, 
3f77a2b5.2, and so on.

When you install multiple CA certificates in a single directory, you can 
calculate the hash for each file (NAME-OF-CA-FILE) by using the command:

openssl x509 -noout -hash -in NAME-OF-CA-FILE

Once you know the hash (HASH), you can then rename the file so that 
OpenSSL can find it:

mv NAME-OF-CA-FILE HASH.0

However, this is a little unfriendly for the system administrator, since 
it is not obvious what CA certificates are present.  So many people 
choose to keep the original name of the file and create a symbolic link 
to that file for OpenSSL:

ln -s NAME-OF-CA-FILE HASH.0

This way, OpenSSL can find the correct CA certificate efficiently, and 
system administrators can know what CA certificates are present.

If you choose to use a directory for storing CA certificates 
one-per-file and you also choose to use symbolic links (instead of 
renaming the files), then you can use the c_rehash script that comes 
with OpenSSL to create and maintain the symbolic links.  This script may 
be difficult to find on some systems, run "locate c_rehash" to find out 
if it is installed in a non-obvious location.  If you don't have 
c_rehash on your system, you can download the OpenSSL source code from 
http://openssl.org/ and unpack it.  You'll then find c_rehash in the 
tools subdirectory.

c_rehash takes a single command line argument:  the patch to the 
directory containing the CA certificate files.  I usually run it like this:

cd /path/to/CA/cert/directory
c_rehash .

The documentation for Apache HTTP Server 2.2 also mentions a Makefile 
that comes as a part of mod_ssl that can be used to create the symbolic 
links.  However, I can't find this Makefile in the Apache HTTP Server 
source code; I suspect the documentation may be out of date in this regard.

I hope this helps.

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Configuring SSLCACertificatePath in httpd-ssl.conf

[Christopher Johnson <co...@gmail.com>]

Hello,

I have a bunch of CA's that I need to configure.  I have everything setup
correctly in the httpd-ssl.conf file referencing where my CA's are located.
The issue is from what I have read these need to be symlinked to work in
linux.  Is that the case?  How do i do it?  I haven't seen much
documentation on how it's supposed to be setup.

Thanks,

Chris Johnson