You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rb...@apache.org on 2011/10/27 15:17:01 UTC

svn commit: r1189739 - /httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml

Author: rbowen
Date: Thu Oct 27 13:17:00 2011
New Revision: 1189739

URL: http://svn.apache.org/viewvc?rev=1189739&view=rev
Log:
Applies patch from Tomas Pospisek <tpo2 sourcepole ch> improving SSL FAQ on the topic of intermediate certs.

Modified:
    httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml

Modified: httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml?rev=1189739&r1=1189738&r2=1189739&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml (original)
+++ httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml Thu Oct 27 13:17:00 2011
@@ -207,7 +207,7 @@ certificate" error?</a></li>
 <li><a href="#pemder">How can I convert a certificate from PEM to DER
 format?</a></li>
 <li><a href="#gid">Why do browsers complain that they cannot
-verify my Verisign Global ID server certificate?</a></li>
+verify my server certificate?</a></li>
 </ul>
 
 <section id="keyscerts"><title>What are RSA Private Keys, CSRs and Certificates?</title>
@@ -475,16 +475,24 @@ Certificate for testing purposes?</title
     <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p>
 </section>
 
-<section id="gid"><title>Why do browsers complain that they cannot
-verify my Verisign Global ID server certificate?</title>
-<p>Verisign uses an intermediate CA certificate between the root CA
-    certificate (which is installed in the browsers) and the server
-    certificate (which you installed on the server). You should have
-    received this additional CA certificate from Verisign.
-    If not, complain to them. Then, configure this certificate with the
+<section id="gid"><title>Why do browsers complain that they cannot verify my server certificate?</title>
+
+    <p>One reason this might happen is because your server certificate is signed
+    by an intermediate CA. Various CAs, such as Verisign or Thawte, have started
+    signing certificates not with their root certificate but with intermediate
+    certificates.</p>
+
+    <p>Intermediate CA certificates lie between the root CA certificate (which is
+    installed in the browsers) and the server certificate (which you installed
+    on the server). In order for the browser to be able to traverse and verify
+    the trust chain from the server certificate to the root certificate it
+    needs need to be given the intermediate certificates. The CAs should
+    be able to provide you such intermediate certificate packages that can be
+    installed on the server.</p>
+
+    <p>You need to include those intermediate certificates with the
     <directive module="mod_ssl">SSLCertificateChainFile</directive>
-    directive. This ensures that the intermediate CA certificate is
-    sent to the browser, filling the gap in the certificate chain.</p>
+    directive.</p>
 </section>
 </section>
 <!-- /certs -->