9

I am attempting to use the mod_proxy SSLCACertificatePath directive, but I'm a tad bit confused on how to use it properly.

Here are two links explaining the SSLCACertificatePath directive:
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcacertificatepath
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC13

I'm not positive on how to create the hashed symbolic links. The second link states to use the apache make file, but I'm quite clueless on what is exactly being said there.

Any friendly guidance would be greatly appreciated.

Thank you for your time.

UPDATE

The goal of my question was to figure out how to handle multiple CAs for validating end user Client Certificates. I didn't realize that multiple pem certificates could be using in one file, which, in my case is clearly the right way to move forward.

Chris S
  • 77,337
  • 11
  • 120
  • 212
hooknc
  • 235
  • 2
  • 3
  • 7

2 Answers2

5

If you are unclear on how to make the hash-named symlinks my suggestion is not to use CACertificatePath, but rather to use CACertificateFile instead. (Actually this is my suggestion in general: properly maintaining a CACertificateFile may be slightly more work if you have lots of CA certificates that change often, but you probably shouldn't have lots of CA Certificates, and they shouldn't change much anyway...) In addition it appears that the Makefile referenced has disappeared from Apache's distribution tarballs (and the general lack of public outcry may indicate how many people are using the "path" method of storing certificates :).

All that said, if you still want to do this you can proceed per what DerfK said (either get the old Makefile, or write your own script/makefile that runs openssl x509 -noout -hash against all your certificate files and creates appropriately-named symbolic links).

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • Thank you for your answer. Unfortunately, we are going to have multiple CA certs and they will be changing. Do you know how to have multiple certificates in one file? Is it as simple as cutting and pasting a certificate from one file into another file that has all the certificates? – hooknc Mar 21 '11 at 19:59
  • 1
    It is in fact as simple as cutting and pasting -- there used to be a `ca-bundle.crt` included with mod_ssl in the Apache 1.x days (and still available at http://certifie.com/ca-bundle/ca-bundle.crt.txt). For your sanity I would comment the file so you can tell which certificate block belongs to which CA if/when you need to change them later. – voretaq7 Mar 21 '11 at 20:14
  • Fantastic news. We most likely will be moving forward with this solution. Luckily someone else will be in charge of having to generate that .crt file. Thank you again for your time. – hooknc Mar 21 '11 at 20:55
4

I found an open bug regarding this. Other than downloading the old modssl.org release referred to in the bug and getting the Makefile from it, it seems you can get the value of the hash from openssl x509 -in foo.crt -noout -hash though it's not clear what the ".N" part refers to (perhaps this was for hash collisions (eg first cert with hash 12345678 has a symlink 12345678.1 pointing to it, second cert that has the same hash uses .2? Or maybe it starts with .0?)

If you get the Makefile.crt file from the old modssl, I believe what you would do is drop it in the folder with all your certificates, then run make -f Makefile.crt in that folder.

DerfK
  • 19,313
  • 2
  • 35
  • 51
  • Thank you for your answer. Pointing to that bug report really helped. Here is the direct link for the download of the resource mentioned in the bug: http://www.modssl.org/source/mod_ssl-2.8.31-1.3.41.tar.gz I did look at the Makefile.crt and I believe you're correct on the numbering scheme, but I'm not very good at *nix scripts. .1, .2, .3, etc... I did try using the commands you recommended and then the symbolic link named as the hash and everything seemed to work. I will have to try with multiple CA files now. – hooknc Mar 21 '11 at 20:14
  • 1
    The numbering does start with `.0`. – Raman Aug 13 '16 at 13:13
  • 1
    Here is the `Makefile` already extracted from the tar.gz: https://gist.github.com/rocketraman/9228a42b78e094b3c2218f6e57844ee0 – Raman Aug 13 '16 at 13:15
  • Running `make -f Makefile.crt` in the folder with certificates gives `Makefile.crt ... Skipped` error. – Serious Mar 02 '18 at 10:34