SSLCACertificateFile in Apache httpd

What is SSLCACertificateFile

SSLCACertificateFile, according to Apache httpd docs, is a directive that sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with.

These are used for Client Authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLCACertificatePath.

In layman’s terms, SSLCACertificateFile can be used to provide your “private”, self-signed CA, that can issue client certificates, which will later be distributes to selected users.

Serve self-signed certificates with SSLCACertificateFile

First, you need to generate keys and certificate using OpenSSL

openssl req -config /usr/share/apache2/ssleay.cnf -new -key client.key -out client.csr

openssl x509 -req -days 365 -CA /etc/apache2/ssl/apachelca2.pem -CAkey /etc/apache2/ssl/apachelca2.pem -CAcreateserial -in client.csr -extfile /usr/share/apache2/ssleay.cnf -extensions v3_req -out client.crt

Once apachelca2.pem has been generated, include the following directives in your httpd.conf. Remember to remove what you don’t use!

SSLCertificateFile /etc/apache2/ssl/apache.cer # site certificate signed by verisign
SSLCertificateKeyFile /etc/apache2/ssl/apache.key # site key for certificate signed by verisign
SSLCACertificateFile /etc/apache2/ssl/apachelca2.pem # your self signed CA

Install an Intermediate CA cert in Apache

In order to install an Intermediate CA cert in Apache, you have to specify a .crt file in SSLCACertificateFile directive.

SSLCACertificateFile /etc/httpd/conf/ssl.crt/my_ca.crt

Detailed steps can be found at RedHat Knowledge Base.

We’ve also written a few other guides which you may also be interested in, such as How to fix cURL “Invalid certificate chain” error, Select a certificate to authenticate yourself and Fix “failed to verify the legitimacy of the server” error in cURL

Leave a Comment