Home / server / Questions / 715103
Accepted
Craig Watson
Asked: 2015-08-19 12:44:05 +0800 CST

Apache-Served CA vs Local Root CA - Which Wins?

  • 772

I currently have two Apache servers running here and here, both use SSL certs signed by StartSSL. Apache SSL configuration below:

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/certificates/thor.vikingserv.net/certificate.crt"
  SSLCertificateKeyFile   "/etc/certificates/thor.vikingserv.net/private.key"
  SSLCertificateChainFile "/etc/certificates/intermediate/startssl-class-1.crt"

Both the server certificate and the intermediate certificate are SHA-256, but the CA cert is SHA-256 on my Linux workstation, but SHA-1 on my MacBook.

I could use the SSLCACertificatePath directive within Apache to force the SHA-256 CA cert, but would this override the root certificate distributed with the OS?

ssl-certificate

1 Answers

  1. Best Answer

    No, it wouldn't, because if clients would trust a random root certificate presented to them, the whole point of a trust store would be somewhat moot.

    Two notes about your question:

    1. The algorithm used to sign a trust anchor certificate is irrelevant -- the signature itself isn't used during validation.
    2. SSLCACertificatePath wouldn't help you anyway, as that directive is only used when validating client certificates, which is not what you're doing.
    • 2