You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Durairaj, Srinivasan (NSN - IN/Hyderabad)" <sr...@nsn.com> on 2012/03/08 08:09:24 UTC
[users@httpd] enable HTTPD to support multi-layer certificates (ca chain)
Hi,
I want to enable HTTPD to support multi-layer certificates (ca chain).
I had 2 options
Option 1:
We can configure SSLCertificateFile (EE file) and SSLCertificateChainFile (CA Chain)
Option 2:
We can configure SSLCertificateFile (EE+CA Chain)
When we tested we found that Option 1 worked and Option 2 did not.
Any idea if I have missed anything in Option 2 or how to make Option 2 work
HTTP version Is 2.2.3
Regards
Srini
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] enable HTTPD to support multi-layer certificates
(ca chain)
Posted by Igor Cicimov <ic...@gmail.com>.
I wonder why would the setting SSLCertificateChainFile even exist if you
can get away with option 2?
On Mar 8, 2012 6:21 PM, "Durairaj, Srinivasan (NSN - IN/Hyderabad)" <
srinivasan.durairaj@nsn.com> wrote:
> Hi,
> I want to enable HTTPD to support multi-layer certificates (ca chain).
> I had 2 options
> Option 1:
> We can configure SSLCertificateFile (EE file) and SSLCertificateChainFile
> (CA Chain)
>
> Option 2:
> We can configure SSLCertificateFile (EE+CA Chain)
>
> When we tested we found that Option 1 worked and Option 2 did not.
> Any idea if I have missed anything in Option 2 or how to make Option 2 work
> HTTP version Is 2.2.3
>
> Regards
> Srini
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Re: [users@httpd] enable HTTPD to support multi-layer certificates
(ca chain)
Posted by Noel Butler <no...@ausics.net>.
On Thu, 2012-03-08 at 07:58 -0500, Mark Montague wrote:
> On March 8, 2012 2:09 , "Durairaj, Srinivasan (NSN - IN/Hyderabad)"
> <sr...@nsn.com> wrote:
> > I want to enable HTTPD to support multi-layer certificates (ca chain).
> > I had 2 options
> > Option 1:
> > We can configure SSLCertificateFile (EE file) and SSLCertificateChainFile (CA Chain)
> >
> > Option 2:
> > We can configure SSLCertificateFile (EE+CA Chain)
> >
> > When we tested we found that Option 1 worked and Option 2 did not.
> > Any idea if I have missed anything in Option 2 or how to make Option 2 work
> > HTTP version Is 2.2.3
>
> Why do you think Option 2 should work? What is bad about Option 1?
> What problem are you trying to solve?
>
I agree, so many people using option 2 in other software
(postfix/dovecot etc), get the order WRONG, and the chain fails, half
the time without them even knowing. I've seen plenty ask that a chain
option be introduced in other software, because it avoids the guessing
game by newbies, not actually tried it in httpd, but maybe it does work,
and the OP, like many before him, got the order wrong.
Re: [users@httpd] enable HTTPD to support multi-layer certificates
(ca chain)
Posted by Mark Montague <ma...@catseye.org>.
On March 8, 2012 2:09 , "Durairaj, Srinivasan (NSN - IN/Hyderabad)"
<sr...@nsn.com> wrote:
> I want to enable HTTPD to support multi-layer certificates (ca chain).
> I had 2 options
> Option 1:
> We can configure SSLCertificateFile (EE file) and SSLCertificateChainFile (CA Chain)
>
> Option 2:
> We can configure SSLCertificateFile (EE+CA Chain)
>
> When we tested we found that Option 1 worked and Option 2 did not.
> Any idea if I have missed anything in Option 2 or how to make Option 2 work
> HTTP version Is 2.2.3
Why do you think Option 2 should work? What is bad about Option 1?
What problem are you trying to solve?
The documentation is pretty clear.
https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatefile
says that the file specified by SSLCetificateFile contains the
certificate for the server and, optionally, the private key. It does
not mention anything about CA certificates. On the other hand,
https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
says that SSLCertificateChainFile specifies the "all-in-one" file
containing certificates from the server certificate up through and
including the root CA certificate.
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org