On 9/13/10 2:58 PM, Paul B. Henson wrote:
SSLCACertificateFile is an adjunct to SSLCACertificatePath, and thus is for statements about what CAs your system will accept for client authentication. The directive that does only what you want is SSLCertificateChainFile, which is an ordered collection of PEM-encoded intermediate certifiers which may or may not include the root. (The root *may* be provided. X.509 tends to rely on roots being pre-shared. For various reasons, I believe that it is useful to send to the client, including the possibility of root certificate-update with the same keypair -- there's no reason not to share that information unless dissemination of the root's public key is by policy to be restricted for some reason.)On Mon, 13 Sep 2010, Chris wrote:Be careful you are not checking the web server from a browser that has the intermediate certificate installed.I initially installed just the new cert on the web server, and the web browsers were generating cert security errors. I then went back and added the SSLCACertificateFile directive and the intermediate certs on the server; at that point the web browsers were happy. This leads me to believe the web server is correctly configured.
-Kyle H
smime.p7s
Description: S/MIME Cryptographic Signature
