On Wed, Sep 7, 2016 at 6:24 PM, Rob Crittenden <[email protected]> wrote: > Oliver Graute wrote: >> >> Hello, >> >> in our project we tried to use two Virtual Hosts with two different >> Certificate Chains in two NSS databases. One for local and one for >> remote connections. >> >> After a bit of debuging it seems that this setup is not possible, because >> NSS >> _Init is only called once and not called twice for every vhost entry. >> >> There is allready a Bug 1256527 concerning this issue: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1256527 >> >> Whats needs to be done to fix this Limitation? So how hard can it be to >> fix this? > > > I haven't scoped it yet so I can't really say how difficult it will be. > >> What alternatives we have to get two certificate chains working with nss? >> >> we thought that a alternative could be to start to seperated Apache >> instances >> is this an approach to go? or do we get in trouble with nss lib to? > > > I don't see why you can't have two server certificates and chains in the > same NSS database as long as the subjects are unique. Is that not working > for you? >
The problem is that we have an requirement for an PKI with a Root CA with seperate Sub CA for LAN (local) and Sub CA for WAN (remote) which will build up two separte chains . An certificate that is verified by one chain shall not be verified by the other chain. Best regards, Oliver _______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
