86

I provide SSL pages on my web server, and I have a question. What is the difference between SSLCACertificateFile and SSLCertificateChainFile?

When I use SSLCertificateChainFile, I got warnings from Japanese cellular phone browser, but when I use PC browser(like IE, FF), there was no problem. On the other hand, SSLCACertificateFile didn't cause any problem for both browsers.

Is there any difference when browsers connect to apache?

Sjoerd C. de Vries
  • 16,122
  • 3
  • 42
  • 94
nam
  • 1,061
  • 1
  • 9
  • 8
  • 1
    thats too easy The root sig is not in the root store of the mobile phone which is common –  Jun 22 '10 at 19:37

2 Answers2

80

SSLCertificateChainFile was a correct option to choose but this directive became obsolete as of Apache 2.4.8. This directive caused the listed file to be sent along with the certificate to any clients that connect.

SSLCACertificateFile (hereafter "CACert") supersedes SSLCertificateChainFile (hereafter "Chain"), and additionally permits the use of the cert in question to sign client certificates. This sort of authentication is quite rare (at least for the moment), and if you aren't using it, there's IMHO no reason to augment its functionality by using CACert instead of Chain. On the flipside, one could argue that there's no harm in the additional functionality, and CACert covers all cases. Both arguments are valid.

Needless to say, if you ask the cert vendor, they'll always push for CACert over Chain, since it gives them another thing (client certs) that they can potentially sell you down the line. ;)

Dana the Sane
  • 14,762
  • 8
  • 58
  • 80
BMDan
  • 282
  • 5
  • 12
  • 1
    Another thing to consider actually is the algorithm. "But be careful: Providing the certificate chain works only if you are using a single (either RSA or DSA) based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Else the browsers will be confused in this situation." ----http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcertificatechainfile – Eddie Jul 05 '12 at 18:45
  • @Eddie Correct, though I believe it's important to mention that this affects both options equally. Also, it's probably worth pointing out that DSA certificates are (mercifully) vanishingly rare. – BMDan Mar 25 '13 at 20:22
22

Actually, both may be valid options.

Use SSLCertificateChainFile to publish your certificate signed by public certificate authority (VeriSign, RapidSSL, etc.)

Use SSLCACertificateFile to provide your 'private' CA, that can issue client certificates, that you can distribute to some selected users. These client certificates are actually great for authentication (compared with the basic password authentication), and typically are not required to be distributed by a public CA (hence you can save some money).

So, if you want to add secure authorization to some portion of your web site, do this:

<Directory /var/www/html/authorized>
  SSLVerifyClient require
  SSLVerifyDepth  5

  SSLOptions +StrictRequire
  SSLUserName SSL_CLIENT_S_DN_CN
  SSLRequireSSL
</Directory>

Just for short explanation SSLUserName SSL_CLIENT_S_DN_CN will set the authenticated user name to certificate's CommonName, versus the whole x509 '/OU=Foo/CN=...' subject.

Alexander Pogrebnyak
  • 44,836
  • 10
  • 105
  • 121