Home / ubuntu / Questions / 310910
Accepted
Hojat Taheri
Asked: 2013-06-21 21:39:41 +0800 CST

what is "yourDomainName.ca-bundle"?

  • 772

for installing ssl certificate on ubuntu i have to insert these lines on virtualHost block:

SSLEngine on
SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName.crt
SSLCACertificateFile /etc/ssl/ssl.crt/yourDomainName.ca-bundle

but i don't understand what the forth line does?

12.10

1 Answers

  1. Best Answer

    With certificates you are dealing with what you may call a "chain of trust". It's kind of "Adam says it's raining outside. I believe Adam because Bob said Adam's trustworthy. I believe Bob because Christine says Bob's trustworthy" and so on and so forth.

    A certificate is used, among other things like encryption, as a kind of ID badge: This website proclaims to be your-website.com, and it can show the certificate to prove it. But why to trust the certificate? Because it has been issued by an instance that is trusted itself, a so called certification authority (CA). This CA is operated by the company you bought your certificate from. But why to trust this CA? Because it can show a certificate that is trustworthy. That second certificate is issued from a "higher up" CA. This "higher up" CA has a certificate that it is trustworthy from still another CA, and so on. This goes on and on until you reach a "root certificate".

    Those root certificates are delivered with your web browser, mail client or other client that needs to assess a certificate. If your browser is presented a certificate, it checks whether it matches the site that uses it (domain name and such), and whether it trusts the CA that issued the certificate. The CA is trusted if the "higher up" CA that certified this CA is trusted, and so on. By this method, your browser should arrive at one point at one of its root certificates. If it does, the browser accepts the certificate we started out with. If it can't build a chain of trust back to a root certificate, it doesn't accept the certificate (or warns you about it, depending on your settings).

    As you see, not every CA gains its trust directly from a root certificate, there can be one or many intermediate steps. Those "intermediate certificates", so to speak, can be stored into a file, like your certificate and the corresponding key can. And the Apache directive SSLCACertificateFile tells where to look for that file. You should recieve those "intermediate certificates" along with your certificate, or they should be available from the company you bought your certificate from.

    • 1