1
It's my first time I'm dealing with SSL, I'd like to know, if I got this right or not.
I create selfsigned Client-Certificates with a self created CA my-own-CA.crt.
When I buy a Server-Certificate of a trusted CA, I get a
SSL-Certificate-File telesec-server.crt
SSL-Certificate-Chain-File telesec-ca.crt
and I already got my
SSL-Certificate-Key-File my-server.key
Now lets get to my apache2-configuration:
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /somepath/telesec-server.crt
SSLCertificateKeyFile /somepath/my-server.key
SSLCertificateChainFile /somepath/telesec-ca.crt
# THIS IS THE IMPORTANT PART FOR ME NOW
SSLCACertificatePath /somepath
SSLCACertificateFile /somepath/my-own-ca.crt
SSLVerifyClient require
SSLVerifyDepth 10
<Location />
SSLRequire %{SSL_CLIENT_M_SERIAL} in {"1234567890"}
</Location>
Will this configuration allow me to use my self-signed client-certificate to get acces to my website, using a trusted server-certificate?
Right now I'm having the server-certificate self signed. People accessing my website using those client-certificates getting some security messages. Will this message be gone when I use the trusted server-certificate?
Will I be able to still use my self signed client-certificates? My expectation here is also, that the users getting shown a safe server, but they can use the certificates I create on my own. This would mean, that the apache configuration options:
SSLCACertificatePath and SSLCACertificateFile are optional field, which check (if set), if the client-certificate which is trying to connect is signed by the certificate set on this option, right?
I just need to make this sure, because I'm going to buy a few server-certificates very soon, and I really want to have this questions answered.
Yeah, correct spelling is still hard for me. Sorry for that. I looked again in the apache documentation to check the options CACertificatePath and CACertificateFile - This can be used alternatively and/or additionally to SSLCACertificatePath. - you're right. Thanks for the tip. – Yaerox – 2016-02-11T14:35:57.430
@Mike: More specifically, OpenSSL can use either a bundled file or a "hashed directory", while GnuTLS only supports a single-file bundle. /// Speaking of which, note that
SSLCertificateChainFile
is deprecated as well – the "chain" contents should be appended to your certificate file instead. – user1686 – 2016-02-12T05:32:02.827