changelog in 2.4.8 " *) mod_ssl: Remove the hardcoded algorithm-type dependency for the
SSLCertificateFile and SSLCertificateKeyFile directives, to enable future algorithm agility, and deprecate the SSLCertificateChainFile directive (obsoleted by SSLCertificateFile). [Kaspar Brand]" 2014-10-07 19:49 GMT+02:00 dE <de.tec...@gmail.com>: > On 10/07/14 22:42, Daniel wrote: > > SSLCertificateChainFile is deprecated in 2.4 in favour of > SSLCaCertificateFile > > 2014-10-07 16:59 GMT+02:00 dE <de.tec...@gmail.com>: > >> On 10/07/14 18:12, Igor Cicimov wrote: >> >> >> >> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.tec...@gmail.com> wrote: >> >>> Hi. >>> >>> I'm in a situation where I got 3 certificates >>> >>> server.pem -- the end user certificate which's sent by the server to the >>> client. >>> intermediate.pem -- server.pem is signed by intermediate.pem's private >>> key. >>> issuer.pem -- intermediate.pem is signed by issuer.pem's private key. >>> >>> combined.pem is created by -- >>> >>> cat server.pem intermediate.pem > combined.pem >>> >>> Issuer.pem is installed in the web browser. >>> >>> The chain is working, I can verify this via the SSL command -- >>> >>> cat intermediate.pem issuer.pem > cert_bundle.pem >>> openssl verify -CAfile cert_bundle.pem server.pem >>> server.pem: OK >>> >>> However the browsers (FF, Chrome, Konqueror and wget) fail >>> authentication, claiming there are no certificates to verity server.pem's >>> signature. >>> >>> I'm using Apache 2.4.10 with the following -- >>> >>> SSLCertificateFile /tmp/combined.pem >>> SSLCertificateKeyFile /tmp/server.key >>> >>> >> Try this: >> >> $ cat issuer.pem intermediate.pem > CA_chain.pem >> >> SSLCertificateFile server.pem >> SSLCertificateKeyFile server.key >> SSLCertificateChainFile CA_chain.pem >> >> >> Tried this on Apache 2.2 (SSLCertificateChainFile does not work with >> 2.4) with the same issue. >> > > > No, you can see it here -- > > http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile > > when SSLCertificateFile > <http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile> > was extended to also load intermediate CA certificates from the server > certificate file. > >