On Fri, Jan 29, 1999, Larry Mulcahy wrote:
> "Ralf S. Engelschall" wrote:
>
> > I think that's because NS 4.5 doesn't allow you to choose a certificate unless
> > mod_ssl sends the list of accepted CA's and mod_ssl cannot send it unless you
> > configure the CA with SSLCACertificatePath or SSLCACertificateFile. So, for
> > instance put the Versign certificate which signed your _client_ cert into the
> > ssl.crt dir.
>
> Hmm. I had SSLCACertificatePath and SSLCACertificateFile pointing to a CA
> certificate I made myself with openssl. I changed these to point to the
> mod_ssl ssl.crt directory and ssl_crt/ca-bundle.crt, respectively, and, as
> you say, netscape was able to give my personal certificate to the mod_ssl
> server. OK, I've always wondered what that CA bundle business was for.
The CA bundle just contains a lot of well-known CA certs, nothing more. But
you've spoken about a free Versign test client cert, so I guess the CA cert
Versign uses for those test client certs isn't in the bundle file.
> What I'd really like is to have the server recongize the well known CAs,
> plus any I create myself. Is there a way to add CA certificates to the
> CA bundle?
You've to grab the CA certificate which was used by Versign to sign your test
client cert from Versign and place it under the ssl.crt/ dir (run "make" there
to update the links) or append it to the ca-bundle.crt file.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
