Commit 8933584b authored by Richard Bowen's avatar Richard Bowen
Browse files

Applies patch from Tomas Pospisek <tpo2 sourcepole ch> improving SSL FAQ on... 

Applies patch from Tomas Pospisek <tpo2 sourcepole ch> improving SSL FAQ on the topic of intermediate certs.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1189739 13f79535-47bb-0310-9956-ffa450edef68
parent d8f41f33

docs/manual/ssl/ssl_faq.xml

+18 −10
Original line number Diff line number Diff line
@@ -207,7 +207,7 @@ certificate" error?</a></li> 
<li><a href="#pemder">How can I convert a certificate from PEM to DER

format?</a></li>

<li><a href="#gid">Why do browsers complain that they cannot

verify my Verisign Global ID server certificate?</a></li>

verify my server certificate?</a></li>

</ul>



<section id="keyscerts"><title>What are RSA Private Keys, CSRs and Certificates?</title>
@@ -475,16 +475,24 @@ Certificate for testing purposes?</title> 
    <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p>

</section>



<section id="gid"><title>Why do browsers complain that they cannot

verify my Verisign Global ID server certificate?</title>

<p>Verisign uses an intermediate CA certificate between the root CA

    certificate (which is installed in the browsers) and the server

    certificate (which you installed on the server). You should have

    received this additional CA certificate from Verisign.

    If not, complain to them. Then, configure this certificate with the

<section id="gid"><title>Why do browsers complain that they cannot verify my server certificate?</title>



    <p>One reason this might happen is because your server certificate is signed

    by an intermediate CA. Various CAs, such as Verisign or Thawte, have started

    signing certificates not with their root certificate but with intermediate

    certificates.</p>



    <p>Intermediate CA certificates lie between the root CA certificate (which is

    installed in the browsers) and the server certificate (which you installed

    on the server). In order for the browser to be able to traverse and verify

    the trust chain from the server certificate to the root certificate it

    needs need to be given the intermediate certificates. The CAs should

    be able to provide you such intermediate certificate packages that can be

    installed on the server.</p>



    <p>You need to include those intermediate certificates with the

    <directive module="mod_ssl">SSLCertificateChainFile</directive>

    directive. This ensures that the intermediate CA certificate is

    sent to the browser, filling the gap in the certificate chain.</p>

    directive.</p>

</section>

</section>

<!-- /certs -->