You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ray Van Dolson <rv...@esri.com> on 2010/11/18 18:07:09 UTC
[users@httpd] Proper way to reference intermediate certificates in Apache 2.2.x
I just updated a Verisign certificate for one of our sites, and noticed
Firefox was complaining that it wasn't valid. This usually happens
when Verisign's released a new intermediate certificate, and I
typically just install the new one and point to it using
SSLCACertificateFile.
This time around, that didn't work.
I RTFM and it seemed that SSLCACertificateFile had nothing at all to do
with intermediate certs, and everything to do with client
authentication, and that I _should_ be using SSLCertificateChainFile.
Several posts[1][2] I stumbled across seemed to confirm this as well.
I made the change in configuration directive, and sure enough,
everything began working.
Upon checking, I realized I have several other sites using
SSLCACertificateFile to point to an (older) intermediate cert file from
verisign. I'm curious why this works when it appears to be the wrong
configuration directive for the job, but doesn't with the new
intermediate cert file?
[ One wrinkle is that with the newest intermediate cert from Verisign,
they are actually providing a primary and secondary cert instead of
just one. ]
Using Apache 2.2.x.
Thanks,
Ray
[1] http://httpd.markmail.org/thread/ip4oqm2ugbdhkdjx
[2] http://httpd.markmail.org/thread/6bxoeyaykx4fvcp7
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Proper way to reference intermediate certificates
in Apache 2.2.x
Posted by Justin Pasher <ju...@distribion.com>.
----- Original Message -----
> From: Ray Van Dolson <rv...@esri.com>
> Date: Thu, 18 Nov 2010 09:07:09 -0800
> Subject: [users@httpd] Proper way to reference intermediate
certificates in Apache 2.2.x
> To: users@httpd.apache.org
>
>
> I just updated a Verisign certificate for one of our sites, and noticed
> Firefox was complaining that it wasn't valid. This usually happens
> when Verisign's released a new intermediate certificate, and I
> typically just install the new one and point to it using
> SSLCACertificateFile.
>
> This time around, that didn't work.
>
> I RTFM and it seemed that SSLCACertificateFile had nothing at all to do
> with intermediate certs, and everything to do with client
> authentication, and that I _should_ be using SSLCertificateChainFile.
> Several posts[1][2] I stumbled across seemed to confirm this as well.
> I made the change in configuration directive, and sure enough,
> everything began working.
>
> Upon checking, I realized I have several other sites using
> SSLCACertificateFile to point to an (older) intermediate cert file from
> verisign. I'm curious why this works when it appears to be the wrong
> configuration directive for the job, but doesn't with the new
> intermediate cert file?
>
I'm no expert on these directives, but I'll share my experience. If you
look carefully at the description of the SSLCertificateChainFile
directive, you'll see that it the big difference is that
SSLCACertificatePath (and I assume SSLCACertificateFile) have the side
effect of also allowing client certificates signed by that CA.
Essentially the SSLCertificateChainFile directive allows you to break
out the intermediate CA to only apply for the server certificate and not
client certificates. I personally have never used client certificates,
so in practice there is no difference for my setup.
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Proper way to reference intermediate certificates
in Apache 2.2.x
Posted by Igor Galić <i....@brainsware.org>.
----- "Ray Van Dolson" <rv...@esri.com> wrote:
> I just updated a Verisign certificate for one of our sites, and
> noticed
> Firefox was complaining that it wasn't valid. This usually happens
> when Verisign's released a new intermediate certificate, and I
> typically just install the new one and point to it using
> SSLCACertificateFile.
>
> This time around, that didn't work.
>
> I RTFM and it seemed that SSLCACertificateFile had nothing at all to
> do
> with intermediate certs, and everything to do with client
> authentication, and that I _should_ be using SSLCertificateChainFile.
> Several posts[1][2] I stumbled across seemed to confirm this as well.
> I made the change in configuration directive, and sure enough,
> everything began working.
A couple of minutes of searching: revealed:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR212&actp=LIST&viewlocale=en_US
and
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR193
> Upon checking, I realized I have several other sites using
> SSLCACertificateFile to point to an (older) intermediate cert file
> from
> verisign. I'm curious why this works when it appears to be the wrong
> configuration directive for the job, but doesn't with the new
> intermediate cert file?
I suggest you test with
openssl s_client -connect example.com:443 -showcerts -verify 1
That shoul help you understand what's going on.
> [ One wrinkle is that with the newest intermediate cert from
> Verisign,
> they are actually providing a primary and secondary cert instead of
> just one. ]
>
> Using Apache 2.2.x.
>
> Thanks,
> Ray
>
> [1] http://httpd.markmail.org/thread/ip4oqm2ugbdhkdjx
> [2] http://httpd.markmail.org/thread/6bxoeyaykx4fvcp7
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org