What is SSLCACertificateFile
SSLCACertificateFile, according to Apache httpd docs, is a directive that sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with.
These are used for Client Authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLCACertificatePath.
In layman’s terms, SSLCACertificateFile can be used to provide your “private”, self-signed CA, that can issue client certificates, which will later be distributes to selected users.
Serve self-signed certificates with SSLCACertificateFile
First, you need to generate keys and certificate using OpenSSL
openssl req -config /usr/share/apache2/ssleay.cnf -new -key client.key -out client.csr
openssl x509 -req -days 365 -CA /etc/apache2/ssl/apachelca2.pem -CAkey /etc/apache2/ssl/apachelca2.pem -CAcreateserial -in client.csr -extfile /usr/share/apache2/ssleay.cnf -extensions v3_req -out client.crtOnce apachelca2.pem has been generated, include the following directives in your httpd.conf. Remember to remove what you don’t use!
SSLCertificateFile /etc/apache2/ssl/apache.cer # site certificate signed by verisign
SSLCertificateKeyFile /etc/apache2/ssl/apache.key # site key for certificate signed by verisign
SSLCACertificateFile /etc/apache2/ssl/apachelca2.pem # your self signed CAInstall an Intermediate CA cert in Apache
In order to install an Intermediate CA cert in Apache, you have to specify a .crt file in SSLCACertificateFile directive.
SSLCACertificateFile /etc/httpd/conf/ssl.crt/my_ca.crtDetailed steps can be found at RedHat Knowledge Base.
We’ve also written a few other guides which you may also be interested in, such as How to fix cURL “Invalid certificate chain” error, Select a certificate to authenticate yourself and Fix “failed to verify the legitimacy of the server” error in cURL.
