6

I have a following hierarchy of certificates. And I need to do a client authentication on Apache.

.
└── root (CA) - self signed
    ├── intermediate 1 (CA)
    |   ├── client1
    |   ├── client2
    └── intermediate 2 (CA)
        ├── client3
        └── client4

Who should store intermediate certificates (a client or a server)?

I would prefer to store just a root CA on the server to validate all client certs against it. The main reason is that list of intermediate CA's can grow and I don't want to update all the time certs stored in Apache configuration.

Is this technically feasible? Does SSL protocol requests clients to send the whole chain?

One thought on this subject. As I understand when a client authenticates a server then the server sends the whole chain to the client. I hope that it's symmetrical and when the server needs to authenticate the client, it's the client responsibility to send the whole chain.

Victor Ronin
  • 163
  • 1
  • 6

1 Answers1

1

When a client authenticates a server, the server will send the chain that is defined in SSLCertificateChainFile, which is your responsibility as server admin. So when the client identifies itself, it is also responsible for sending the whole chain. Apache needs only to know about the CA certificate, which you define in SSLCACertificateFile. You may at your discretion also define chains here, which will make Apache more lenient towards clients not sending chains themselves.

When you sign certificates for users, make sure that the user is provided with the correct chain. Your user can construct a .p12 using the following OpenSSL command:

openssl pkcs12 -export -in ${SIGNED_CERT} -inkey ${PRIVATE_KEY} \
     -name ${USERNAME} -out ${OUTPUT_P12} -certfile ${PROVIDED_CHAIN}
jornane
  • 1,166
  • 1
  • 9
  • 26