httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From daniel bryan <>
Subject [users@httpd] Acceptable client certificate CA names Limitations
Date Fri, 13 Mar 2015 17:22:35 GMT

I have Apache 2.4 (win32) and have the following in my CA bundle.
Root 1
Subordinate 1
Subordinate 2

My server was signed off Subordinate 1
 When I do openssl s_client -connect server:443
it shows both Subordinate 1 and Subordinate 2 in the acceptable CA names.

If I remove Subordinate 2 from the bundle, It only shows Subordinate 1 as a
acceptable CA. However, if I remove Subordinate 1, it still shows as an
acceptable CA.

It seems httpd references not only cabundle/cafiles but also certs in the
Chain file. as acceptable CAs.

Is it possiable to prevent a user signed off Subordinate 1 from using
client certificate authentication while the server cert is issued off
Subordinate 1?


View raw message