You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rb...@apache.org on 2011/10/27 15:25:07 UTC
svn commit: r1189746 - in /httpd/httpd/branches/2.2.x/docs/manual/ssl:
ssl_faq.html.en ssl_faq.xml
Author: rbowen
Date: Thu Oct 27 13:25:07 2011
New Revision: 1189746
URL: http://svn.apache.org/viewvc?rev=1189746&view=rev
Log:
Applies patch from Tomas Pospisek <tpo2 sourcepole ch> improving SSL FAQ on the topic of intermediate certs.
Modified:
httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.html.en
httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml
Modified: httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.html.en?rev=1189746&r1=1189745&r2=1189746&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.html.en (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.html.en Thu Oct 27 13:25:07 2011
@@ -276,7 +276,7 @@ Verisign, for installing my Verisign cer
<li><a href="#sgc">Can I use the Server Gated Cryptography (SGC)
facility (aka Verisign Global ID) with mod_ssl?</a></li>
<li><a href="#gid">Why do browsers complain that they cannot
-verify my Verisign Global ID server certificate?</a></li>
+verify my server certificate?</a></li>
</ul>
<h3><a name="keyscerts" id="keyscerts">What are RSA Private Keys, CSRs and Certificates?</a></h3>
@@ -628,15 +628,23 @@ facility (aka Verisign Global ID) with m
<h3><a name="gid" id="gid">Why do browsers complain that they cannot
-verify my Verisign Global ID server certificate?</a></h3>
-<p>Verisign uses an intermediate CA certificate between the root CA
- certificate (which is installed in the browsers) and the server
- certificate (which you installed on the server). You should have
- received this additional CA certificate from Verisign.
- If not, complain to them. Then, configure this certificate with the
- <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatechainfile">SSLCertificateChainFile</a></code>
- directive. This ensures that the intermediate CA certificate is
- sent to the browser, filling the gap in the certificate chain.</p>
+verify my server certificate?</a></h3>
+ <p>One reason this might happen is because your server certificate is signed
+ by an intermediate CA. Various CAs, such as Verisign or Thawte, have started
+ signing certificates not with their root certificate but with intermediate
+ certificates.</p>
+
+ <p>Intermediate CA certificates lie between the root CA certificate (which is
+ installed in the browsers) and the server certificate (which you installed
+ on the server). In order for the browser to be able to traverse and verify
+ the trust chain from the server certificate to the root certificate it
+ needs need to be given the intermediate certificates. The CAs should
+ be able to provide you such intermediate certificate packages that can be
+ installed on the server.</p>
+
+ <p>You need to include those intermediate certificates with the
+ <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatechainfile">SSLCertificateChainFile</a></code>
+ directive.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
Modified: httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml?rev=1189746&r1=1189745&r2=1189746&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml Thu Oct 27 13:25:07 2011
@@ -283,7 +283,7 @@ Verisign, for installing my Verisign cer
<li><a href="#sgc">Can I use the Server Gated Cryptography (SGC)
facility (aka Verisign Global ID) with mod_ssl?</a></li>
<li><a href="#gid">Why do browsers complain that they cannot
-verify my Verisign Global ID server certificate?</a></li>
+verify my server certificate?</a></li>
</ul>
<section id="keyscerts"><title>What are RSA Private Keys, CSRs and Certificates?</title>
@@ -635,15 +635,23 @@ facility (aka Verisign Global ID) with m
</section>
<section id="gid"><title>Why do browsers complain that they cannot
-verify my Verisign Global ID server certificate?</title>
-<p>Verisign uses an intermediate CA certificate between the root CA
- certificate (which is installed in the browsers) and the server
- certificate (which you installed on the server). You should have
- received this additional CA certificate from Verisign.
- If not, complain to them. Then, configure this certificate with the
- <directive module="mod_ssl">SSLCertificateChainFile</directive>
- directive. This ensures that the intermediate CA certificate is
- sent to the browser, filling the gap in the certificate chain.</p>
+verify my server certificate?</title>
+ <p>One reason this might happen is because your server certificate is signed
+ by an intermediate CA. Various CAs, such as Verisign or Thawte, have started
+ signing certificates not with their root certificate but with intermediate
+ certificates.</p>
+
+ <p>Intermediate CA certificates lie between the root CA certificate (which is
+ installed in the browsers) and the server certificate (which you installed
+ on the server). In order for the browser to be able to traverse and verify
+ the trust chain from the server certificate to the root certificate it
+ needs need to be given the intermediate certificates. The CAs should
+ be able to provide you such intermediate certificate packages that can be
+ installed on the server.</p>
+
+ <p>You need to include those intermediate certificates with the
+ <directive module="mod_ssl">SSLCertificateChainFile</directive>
+ directive.</p>
</section>
</section>
<!-- /certs -->