You're looking at a couple of issues here. (First, please be aware that this is the OpenSSL users list, not necessary a mod_ssl support list; however, since they're intertwined, we do have some knowledge of mod_ssl.)
What you need to do is change that from 'SSLCACertificateFile' to 'SSLCACertificateChainFile'. The documentation on SSLCACertificateChainFile: This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order. NOTE: If you do not construct the path properly by hand, SSLCACertificateChainFile *WILL* cause ALL of the certificates in the chain file to be inserted (after decoding to DER) into the certificate chain in the TLS layer. This causes a violation of the TLS and SSLv3 protocols (and is arguably a bug, though I haven't taken the time to sit down and generate a simple test case). Thus, please *only* place the certificates that are necessary to chain up to a presumably-known-to-the-client CA. If you are not using client authentication, then you don't need any CAs set up for Client Verification. If you are, you need to set up a separate list of CAs from which you will accept certificates, include their certificates into a .PEM encoded/all-certs-concatenated file, and use that for SSLCACertificateFile with SSLVerifyClient 'optional_no_ca' or 'required'. (I've always liked optional_no_ca, since it allows me to provide my own interface for 'Okay, you've provided a certificate, but it's not one that we understand. Please click here to try again.' (where 'click here' removes the server cache object), or 'You haven't provided a certificate, and we need one to know who you are. Please click here to try again.') -Kyle H On Thu, Aug 12, 2010 at 1:02 PM, Bill Moseley <mose...@hank.org> wrote:
I am not trying to set up client auth on Apache, just install a new SSL certificate. The instructions[1] for the new certificate says to install and intermediate certificate: SSLCACertificateFile /usr/local/ssl/crt/intermediate.crt I've done that, confirmed the paths and the certificate, but apache reports: [error] Unable to configure verify locations for client authentication If I comment out that directive in httpd.conf the server starts fine and the site works ok for some newer browsers but older browsers (including FF3.6.8) report that the CA is unknown. Searching Google for that error message I find mostly people trying to set up client auth, which I'm not trying to do. For example: http://www.mail-archive.com/modssl-us...@modssl.org/msg17547.html, but again that user was trying to set up client auth, plus SSLCADNRequestFile is not a known config setting in my environment. Running an old version of Apache, unfortunately: Apache/2.0.54 (Debian GNU/Linux) mod_ssl/2.0.54 OpenSSL/0.9.7e Any ideas? Thanks, [1] https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15167 -- Bill Moseley mose...@hank.org
smime.p7s
Description: S/MIME Cryptographic Signature
