[users@httpd] SSL: Configuring CA Chains

[La...@telenor.com]

Hi.

I'm trying to configure a set of CA Chains using the SSLCACertificatePath-parameter. I have three separate chains, one for each Intermedia CA I have. All these chains have the same Root CA.

I see a few things:

- When using SSLCACertificatePath, it seems like Apache is ignoring the verification depth. This causes the verification to fail. When explicitly including one of the chains using SSLCACertificateFile, verification is OK. For this reason, I know that the chain itself is valid.

- When using hash-links to each of the chains in the directory, I actually get each chain loaded twice. Is Apache really using the symlink? It seems to me like it is completely capable of reading all files in the directory without the symlinks.


I have now created a chain with all three intermediate CAs and the Root CA in one, and then using SSLCACertificateFile. This actually works - but are there any issues with doing this? The three intermediate CAs have no relevance to each other, and is it OK to include them all in one chain file? When using openssl to dump the contents of the chain, it shows only the first CA in the chain.


Kind regards,
Lars Ove Claesson

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org