On 03/16/2010 11:50 AM, Michael Torrie wrote:
Note that you will need to tell apache about the signing authority chain. This is essentially a list of who trusts who and is required for some reason or else your cert will not be seen as valid by the web browsers.My apache config has these three settings in it: SSLCertificateFile /etc/pki/tls/certs/<yourcert>.crt SSLCertificateKeyFile /etc/pki/tls/private/<yourkey>.key SSLCertificateChainFile /etc/pki/tls/certs/gd_intermediate_bundle.crt The gd_intermediate_bundle.crt is provided by godaddy.
Most of the Big Name Certificate Authorities already have their root certs in most of the browsers out there (required in order to authenticate your cert). Most of the less expensive CA companies do not. Instead, they buy a (rather expensive) chain cert from one of the Big Name CAs to sign their own certs against. The chain file connects the inexpensive cert to the expensive Big Name CA root cert in all the browsers of the world, letting the m function without having to make any potential customer go to your CA and get their specific cert. How many clients do you think would know how to do that? ;)
-Steve
smime.p7s
Description: S/MIME Cryptographic Signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
