SSL: Configuring CA Chains

Hi.

I'm trying to configure a set of CA Chains using the SSLCACertificatePath-p=
arameter. I have three separate chains, one for each Intermedia CA I have. =
All these chains have the same Root CA.

I see a few things:

- When using SSLCACertificatePath, it seems like Apache is ignoring the ver=
ification depth. This causes the verification to fail. When explicitly incl=
uding one of the chains using SSLCACertificateFile, verification is OK. For=
this reason, I know that the chain itself is valid.

- When using hash-links to each of the chains in the directory, I actually =
get each chain loaded twice. Is Apache really using the symlink? It seems t=
o me like it is completely capable of reading all files in the directory wi=
thout the symlinks.


I have now created a chain with all three intermediate CAs and the Root CA =
in one, and then using SSLCACertificateFile. This actually works - but are =
there any issues with doing this? The three intermediate CAs have no releva=
nce to each other, and is it OK to include them all in one chain file? When=
using openssl to dump the contents of the chain, it shows only the first C=
A in the chain.


Kind regards,
Lars Ove Claesson

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org