I'm seeking validation on an issue I'm discussing regarding the use of the SSLCACertificateFile and SSLCertificateChainFile directives.
What I'm trying to do: Install an SSL certificate on my web site (for use with HTTPS) and provide the certificate chain from the server. What I'm not trying to do: Allow web site users to authenticate to my site via their own certificates. I'm being told by cPanel/WHM support that the two directives can be used interchangeably when applying an SSL certificate to a site for Web Server Authentication for the purposes of returning the certificate chain. Even through the WHM interface, when it asks for the "ca bundle," it adds the SSLCACertificateFile directive to the httpd.conf for the resulting file. Through my testing with openssl s_client and http://www.sslshopper.com/ssl-checker.html, I'm seeing that when using the SSLCACertificateFile directive, only the server certificate is returned. However, when I change to the SSLCertificateChainFile directive, both the Intermediate and CA certificates are returned in addition to the server certificate. I'm reading through the documentation on mod_ssl (http://httpd.apache.org/docs/2.0/mod/mod_ssl.html) and under the SSLCertificateChainFile directive, it says, "This should be used alternatively and/or additionally to SSLCACertificatePath for explicitly constructing the server certificate chain which is sent to the browser in addition to the server certificate." And under SSLCACertificateFile, it says, "This can be used alternatively and/or additionally to SSLCACertificatePath." So I'm confused. Can anyone explain why using SSLCertificateChainFile causes the server certificate chain to be sent to the browser while using SSLCACertficateFile doesn't despite the apparent link in the documentation? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
