SSLCACertificatePath in httpd

Question

I am trying to use the SSLCACertificatePath directive in httpd to point to a collection of roots and intermediates for client certificate validation.

I am able to use a full, concatenated PEM-encoded file without any difficulty (using the SSLCACertificateFile directive), but I would prefer to be able to point to a directory rather than building one massive file.

I have followed the instructions in the httpd manual (and documented here) including making hashes of all the files as follows:

1. Took my giant pem file and split out all the individual certificates (about 40 or so) using an awk command

2. For each pem file, ran:

   openssl x509 -noout -hash -in NAME-OF-CA-FILE
   

   to get the hash

3. Created sym links to the pem files named HASH.X (like fa0db041.0, fa0db041.1, etc.)

When I point httpd to that directory, I end up getting the following errors when I attempt to do client certificate validation:

AH02039: Certificate Verification: Error (20): unable to get local issuer certificate
AH02039: Certificate Verification: Error (19): self signed certificate in certificate chain

So it's like it isn't finding the intermediates and roots.

Again, this all works when using the combined PEM.

Any advice?

Answer 1

Did you make sure that your apache process has the rigths to read the files in the folder ?

When you use SSLCACertificateFile, the file is loaded during apache startup, with roots privileges.

When you're using SSLCACertificatePath, files are not loaded during startup.

I had the same problem, and setting correct rigths on the folder solved it.