Join Log in
Score:0
Jeff avatar Server

Is it necessary to include a CA file reference in my Apache vhost config block?

dj flag
Jeff

I'm upgrading my Apache web server and wondering if I even need to declare a CA file in the vhost config?

My vhost setup is

SSLEngine on
SSLCertificateFile /home/user/ssl/${SITE}-cert.pem
SSLCertificateKeyFile /home/user/ssl/${SITE}-key.pem
SSLCertificateChainFile /home/user/ssl/${SITE}-ca.pem
#SSLCACertificateFile /home/user/ssl/${SITE}-ca.pem

By default Apache ships with just the SSLCertificateFile and SSLCertificateKeyFile active. Same with Debian's package. I understand both of these.

By default, both SSLCertificateChainFile and SSLCACertificateFile are disabled on Apache's source and Debian's package. I thought I understood these, but not so sure now.

All of my websites work fine with both CA directives disabled.

But am I missing something? Is disabling both of them causing my server to provide a CA behind the scenes, like from the system's /etc/ssl/certs?

Let's Encrypt provides their CA file during renewal, so I figured it wouldn't hurt to specify the SSLCertificateChainFile, but I want to understand why my sites work without it?

Don't these two CA directives serve a similar purpose to cURL's CA-bundle file taken from Mozilla? Can I just point SSLCACertificateFile to that on my server and call it a day?

It was my understanding that the client takes care of verifying the website's cert by using it's own authorized CA. Am I wrong?

Docs don't seem to offer any insight:

SSLCertificateChainFile and SSLCACertificateFile

39
0 + 0
Score:2
Gerrit avatar Server
cn flag
Gerrit

First of all, sending the intermediate chain towards the root certificate with your server response is not always exactly NEEDED, but it is recommended practice.

Many clients nowadays have all kinds of intermediate certificates stored in their certificate trust stores or get them from the OS trust store. However if you intend to serve the GENERAL public, you cannot make any assumptions on this, and you SHOULD send the intermediate chain with your response.

If you don't send the intermediate chain you will be left with sporadic reports of people being unable to connect to your service. And that may depend on their browser, the version of the browser and the underlying OS.

Ironically, choosing a specific intermediate chain and sending it with the response may sometimes abort the SSL validation for some clients that would have validated it from some stored chain themselves. As was the case with some older openssl clients on servers and letsencrypt issued certificates, but you can assume that in that case the support of those servers will eventually figure it out.

You don't actually need the ChainFile directive in Apache for that per se, because you can also concatenate pem certificate files from end certificate towards the root and use them with just the SSLCertificateFile directive.

What you don't need to do, is send the root certificate. Because if a client would actually use that, it would defeat the practical use of SSL validation.

SSLCACertificateFile is needed if and only if, you need to validate certificates from clients that connect towards you AND you don't wan't to use the systems underlying trust store for that. So, this is actually a totally different use then the SSLCertificateChainfile

Furthermore, if in doubt use the excellent validation tools of Qualys SSL Labs: https://www.ssllabs.com/ssltest/

0 + 0
in flag
Gerald Schneider
The question is not about the root certificate, it's about the CA used for client certification. This CAN be the root CA of the site, but it doesn't have to.
0
Reply
Gerrit avatar
cn flag
Gerrit
The OP talks about hosting `websites`, so in this case only the `SSLCertificateChainfile` is relevant.
0
Reply
Jeff avatar
dj flag
Jeff
*If you don't send the intermediate chain you will be left with sporadic reports of people being unable to connect to your service.* This is what I want to avoid. If specifying the `SSLCACertificateFile` or the `SSLCertificateChainFile` will help prevent this, then I'll add the appropriate directive. If it makes no difference, I won't.
0
Reply
Gerrit avatar
cn flag
Gerrit
You SHOULD absolutely send the intermediate chain. It makes no difference if you concatenate it with the end certificate and send it in in `SSLCertificateFile`, or you keep the end certificate and chain separate and send the chain in `SSLCertificateChainFile`. As I explained, sporadically with people working on old servers that will actually block them, but that can't be helped.
0
Reply
Jeff avatar
dj flag
Jeff
I found these [LetsEncrypt](https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates) docs which clears everything up. Thanks again.
0
Reply
Gerrit avatar
cn flag
Gerrit
Yes, It's actually LetsEncrypt where the default intermediate chain is optimized for maximum compatibility with as much clients as possible, but in the process destroying the compatibility with some old server software if people don't maintain it. This happened after the old root expired.
0
Reply
A.B avatar
cl flag
A.B
I generally agree with what Gerrit wrote. But to be nitpicking about the specific apache configuration, same default configuration usually tells that SSLCertificateChainfile can be pointed to the same SSLCertificateFile cert if it contains a concatenation of server+intermediates. Actually not defining it in such case works the same (and is more logical). This feature (allowing to *not* use SSLCertificateChainfile) is available since apache httpd 2.4.8 : https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile
0
Reply
Score:1
Steffen Ullrich avatar Server
se flag
Steffen Ullrich

A CA file is needed if certificates need to be validated against this CA. In the context of an SSL server like Apache this is necessary for validating client certificates and for validating OCSP responses in the context of OCSP stapling. If none of this is needed, then no CA file need to be given. If any of this is needed but the validation should happen against the system default CA then no CA file need to be given either.

0 + 0
Jeff avatar
dj flag
Jeff
In the context of a plain-old web server serving up https, is defining the CA directives typically necessary? I have no idea if I'm doing OCSP stapling, and not sure if I'm validating client certificates when I serve my https pages.
0
Reply
in flag
Gerald Schneider
If you don't know if you use these features chances are very high that you don't.
0
Reply
Jeff avatar
dj flag
Jeff
I think I understand now. Most clients validate the server with their CA, but most servers serving up https don't validate the client. Thus, I do not need to specify a `CA` directive unless I start validating my clients. Sound right?
0
Reply
Steffen Ullrich avatar
se flag
Steffen Ullrich
@Jeff: Yes, typically no client certificates are used. And OCSP stapling (if enabled at all) can be verified against the system CA.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.