Re: Antw: Re: TLSCACertificateFile directive and multiple CA certificates

[Dameon Wagner <dameon.wagner@it.ox.ac.uk>]

On Wed, May 17 2017 at 11:19:48 +0200, Ulrich Windl scribbled
 in "Antw: Re: TLSCACertificateFile directive and multiple CA certificates":
> >>> Dameon Wagner <dameon.wagner@it.ox.ac.uk> schrieb am 17.05.2017 um 10:34 in
<SNIP>
> >> I just realized one important point abound my setup: Both CA
> >> certificate have the same DN. Other that that they are completely
> >> different certificate (different key, expiry date). Both CA
> >> certificate are valid (not expired).
> > 
> > Depending on how you're testing things, the duplicate DN may well
> > be the _an_ issue, but possibly not a real issue...
> 
> I think the duplicate DN is a problem, because the DN (subject) is
> used to find a matching certificate. Then if that seems valid
> (regarding expiration dates), it'll be used. And I think to search
> is terminated here.

Indeed, it's definitely a problem, but I think the main problem is a
misunderstanding about what the TLSCACertificateFile directive is for
(and what Alex wants to achieve in using it).

> From a PKI point of view there's no problem with this algorithm,
> right?

I don't think so.  The documentation is clear that order doesn't
matter in the file pointed at by TLSCACertificateFile, but that mostly
refers to not having to apply the certificate chain in order of
descent, rather than any order of priority -- so long as the chain
can be traversed without gaps using the certificates concatenated in
the file, it should be happy.

(I won't comment on how carefully pedantic sysadmins like myself craft
our chain files :)

Cheers.

Dameon.

-- 
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dr. Dameon Wagner, Systems Development and Support
IT Services, University of Oxford
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><