3

there's something I can't understand with the SSLCACertificateFile parameter on Apache SSL conf. Put for example I have a ROOT cert "A" that issued an intermediate cert "B". Then, I produced a couple of leaf certificates using B, say "L1", "L2".

Now, according to the documentation, if I want to trust only L1 and L2 I should put "B" and "A" inside a file pointed by SSLCACertificateFile (if I put only certificate "B" Apache gives an unable-to-find-issuer error).

Now, let's produce another certificate, "C", derived from "A" (the root). Would apache trust a peer that's using certificate C? To me, it is a "yes, it will" as Apache will find the issuer of "C" inside the SSLCACertificateFile, it is "A"! But I don't want to trust C, I only want to trust L1 and L2.

Am I missing something?

many thanks!

Matteo Palma
  • 31
  • 2

1 Answers1

1

So, if I understand correctly, this is your certificate structure:

> ROOT cert A
|--> Intermediate Cert B
  |-->  Leaf Certificate L1
  |-->  Leaf Certificate L2
|--> Certificate C

Unfortunately, if you want your browser to only trust L1 and L2, then Certificate C will need to be signed by a different root certificate.

This is due to the inherent nature of certificates. When you trust Root Certificate A, you are essentially saying, "Trust everything that this certificate signs." It has the intended affect of trusting intermediate certificate B, like you want, but you cannot then say "don't trust anything else."

scuba_mike
  • 376
  • 4
  • 11