ssl

Steven Alligood steve at bluehost.com
Tue Mar 16 11:55:09 MDT 2010


On 03/16/2010 11:50 AM, Michael Torrie wrote:
> Note that you will need to tell apache about the signing authority
> chain.  This is essentially a list of who trusts who and is required for
> some reason or else your cert will not be seen as valid by the web browsers.
>
> My apache config has these three settings in it:
>
> SSLCertificateFile /etc/pki/tls/certs/<yourcert>.crt
> SSLCertificateKeyFile /etc/pki/tls/private/<yourkey>.key
> SSLCertificateChainFile /etc/pki/tls/certs/gd_intermediate_bundle.crt
>
> The gd_intermediate_bundle.crt is provided by godaddy.
>
>    

Most of the Big Name Certificate Authorities already have their root 
certs in most of the browsers out there (required in order to 
authenticate your cert).  Most of the less expensive CA companies do 
not.  Instead, they buy a (rather expensive) chain cert from one of the 
Big Name CAs to sign their own certs against.  The chain file connects 
the inexpensive cert to the expensive Big Name CA root cert in all the 
browsers of the world, letting the m function without having to make any 
potential customer go to your CA and get their specific cert.  How many 
clients do you think would know how to do that?  ;)

-Steve

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5515 bytes
Desc: S/MIME Cryptographic Signature
Url : http://plug.org/pipermail/plug/attachments/20100316/27fade44/attachment.bin 


More information about the PLUG mailing list