-1

I tried configured multiple SSLCACertificateFile in single vhost but apparently apache is accepting only requests with ca_sha256.cer as root cert, is there a way to support both SSLCACertificateFile in single vhost without creating separate vhosts

SSLCACertificateFile "C:/apache/conf/ca_sha1.cer"
SSLCACertificateFile "C:/apache/conf/ca_sha256.cer"
OTUser
  • 73
  • 3
  • 11
  • 2
    Why would you want to do that? You can only use on cert anyway, so there is no benefit to have multiple CAs. – Sven Sep 09 '19 at 17:07
  • @Sven there are multiple reasons for this, This is the new feature we are rolling out so if we create a new vhost there is an additional cost involved in it also we have one `vhost` to support TLS 1.2 only and another `vhost` for `TLS 1.0,1.1` having already 2 `vhosts` we cannot come with another logical name in the production to create a third `vhost`, also creating a new endpoint increases the scope of the feature release significantly – OTUser Sep 09 '19 at 18:03
  • @Sven SSLCACertificateFile is used to list the CAs you accept for incoming two way SSL. You can accept multiple certificates in this and accept connections from any clients who present a cert matching one of these. Are you getting it confused with the deprecated SSLCertificateChainFile or SSLCertificateFile? – Barry Pollard Sep 09 '19 at 19:25
  • @RanPaul still don’t understand your use case but AFAIK it is not possible to support different versions of TLS on different vhosts on the same server: https://serverfault.com/questions/637344/is-it-possible-to-set-an-sslprotocol-in-apache-for-a-single-virtualhost-poodle – Barry Pollard Sep 09 '19 at 19:28

1 Answers1

1

No it is not possible to do this and you must concatenate both files together so you can use one file with a list of all the CAs in it.

The easiest way to do what you want is to have the certificates in directory, symlimked to has file name, and then use SSLCACertificatePath instead.

The process to create the has filenames of each link is detailed here:

When you install multiple CA certificates in a single directory, you can calculate the hash for each file (NAME-OF-CA-FILE) by using the command:

openssl x509 -noout -hash -in NAME-OF-CA-FILE

Once you know the hash (HASH), you can then rename the file so that OpenSSL can find it:

mv NAME-OF-CA-FILE HASH.0

However, this is a little unfriendly for the system administrator, since it is not obvious what CA certificates are present. So many people choose to keep the original name of the file and create a symbolic link to that file for OpenSSL:

ln -s NAME-OF-CA-FILE HASH.0

This way, OpenSSL can find the correct CA certificate efficiently, and system administrators can know what CA certificates are present.

Barry Pollard
  • 4,461
  • 14
  • 26
  • Our apache is on windows, so in our case if we put both certs in one folder like `C:/apache/conf/ca/` and then if we put `SSLCACertificatePath C:/apache/conf/ca/` in Apache will it work? – OTUser Sep 09 '19 at 20:07
  • Yes but you still need to name the files correctly with the has name. – Barry Pollard Sep 09 '19 at 20:08
  • Sorry, How place both the files with the same name in windows? – OTUser Sep 09 '19 at 20:10
  • Are these the same cert with the same hash value? – Barry Pollard Sep 09 '19 at 20:14
  • No, one has `sha1` hash and the other one has `sha256` hash – OTUser Sep 09 '19 at 20:15
  • Why? What are you using that does not support sha256 certifcates? Everything does unless using really ancient, unsupported infrasturcture. TLSv1 may not support sha256 ciphers but it does support sha256 certifcates. Regardless they either hash the same (in which case it doesn’t matter which you use) or they has differently (in which case you will not have the same file name). – Barry Pollard Sep 09 '19 at 20:20