ssl_reference.html

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

<td>
<table cellspacing="0" cellpadding="1" border="0" summary="">
<tr><td>
<font face="Arial,Helvetica"><b>Name:</b></font></a> </td><td> <b>SSLCertificateFile</b></td></tr>
<tr><td>
<font face="Arial,Helvetica"><b>Description:</b></font></a> </td><td> Server PEM-encoded X.509 Certificate file</td></tr>
<tr><td><a
 href="../directive-dict.html#Syntax"
 rel="Help"
><font face="Arial,Helvetica"><b>Syntax:</b></font></a> </td><td> <code>SSLCertificateFile</code> <em>filename</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Default"
 rel="Help"
><font face="Arial,Helvetica"><b>Default:</b></font></a> </td><td> <em>None</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Context"
 rel="Help"
><font face="Arial,Helvetica"><b>Context:</b></font></a> </td><td> server config, virtual host</td></tr>
<tr><td><a
 href="../directive-dict.html#Override"
 rel="Help"
><font face="Arial,Helvetica"><b>Override:</b></font></a> </td><td> <em>Not applicable</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Status"
 rel="Help"
><font face="Arial,Helvetica"><b>Status:</b></font></a> </td><td> Extension</td></tr>
<tr><td><a
 href="../directive-dict.html#Module"
 rel="Help"
><font face="Arial,Helvetica"><b>Module:</b></font></a> </td><td> mod_ssl</td></tr>
<tr><td><a
 href="../directive-dict.html#Compatibility"
 rel="Help"
><font face="Arial,Helvetica"><b>Compatibility:</b></font></a> </td><td> mod_ssl 2.0 </td></tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p>
This directive points to the PEM-encoded Certificate file for the server and
optionally also to the corresponding RSA or DSA Private Key file for it
(contained in the same file). If the contained Private Key is encrypted the
Pass Phrase dialog is forced at startup time. This directive can be used up to
two times (referencing different filenames) when both a RSA and a DSA based
server certificate is used in parallel.
<p>
Example:
<blockquote>
<pre>
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
</pre>
</blockquote>
<!-- SSLCertificateKeyFile ------------------------------------------>
<p>
<br>
<a name="SSLCertificateKeyFile"></a>
<h2><a name="ToC11">SSLCertificateKeyFile</a></h2>
<table cellspacing="0" cellpadding="1" bgcolor="#cccccc" border="0" summary="">
<tr>
<td>
<table bgcolor="white" width="600" cellspacing="0" cellpadding="5" border="0" summary="">
<tr>
<td>
<table cellspacing="0" cellpadding="1" border="0" summary="">
<tr><td>
<font face="Arial,Helvetica"><b>Name:</b></font></a> </td><td> <b>SSLCertificateKeyFile</b></td></tr>
<tr><td>
<font face="Arial,Helvetica"><b>Description:</b></font></a> </td><td> Server PEM-encoded Private Key file</td></tr>
<tr><td><a
 href="../directive-dict.html#Syntax"
 rel="Help"
><font face="Arial,Helvetica"><b>Syntax:</b></font></a> </td><td> <code>SSLCertificateKeyFile</code> <em>filename</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Default"
 rel="Help"
><font face="Arial,Helvetica"><b>Default:</b></font></a> </td><td> <em>None</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Context"
 rel="Help"
><font face="Arial,Helvetica"><b>Context:</b></font></a> </td><td> server config, virtual host</td></tr>
<tr><td><a
 href="../directive-dict.html#Override"
 rel="Help"
><font face="Arial,Helvetica"><b>Override:</b></font></a> </td><td> <em>Not applicable</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Status"
 rel="Help"
><font face="Arial,Helvetica"><b>Status:</b></font></a> </td><td> Extension</td></tr>
<tr><td><a
 href="../directive-dict.html#Module"
 rel="Help"
><font face="Arial,Helvetica"><b>Module:</b></font></a> </td><td> mod_ssl</td></tr>
<tr><td><a
 href="../directive-dict.html#Compatibility"
 rel="Help"
><font face="Arial,Helvetica"><b>Compatibility:</b></font></a> </td><td> mod_ssl 2.0 </td></tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p>
This directive points to the PEM-encoded Private Key file for the server. If
the Private Key is not combined with the Certificate in the
<code>SSLCertificateFile</code>, use this additional directive to point to the
file with the stand-alone Private Key. When <code>SSLCertificateFile</code>
is used and the file contains both the Certificate and the Private Key this
directive need not be used. But we strongly discourage this practice.
Instead we recommend you to separate the Certificate and the Private Key. If
the contained Private Key is encrypted, the Pass Phrase dialog is forced at
startup time. This directive can be used up to two times (referencing
different filenames) when both a RSA and a DSA based private key is used in
parallel.
<p>
Example:
<blockquote>
<pre>
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
</pre>
</blockquote>
<!-- SSLCertificateChainFile ---------------------------------------->
<p>
<br>
<a name="SSLCertificateChainFile"></a>
<h2><a name="ToC12">SSLCertificateChainFile</a></h2>
<table cellspacing="0" cellpadding="1" bgcolor="#cccccc" border="0" summary="">
<tr>
<td>
<table bgcolor="white" width="600" cellspacing="0" cellpadding="5" border="0" summary="">
<tr>
<td>
<table cellspacing="0" cellpadding="1" border="0" summary="">
<tr><td>
<font face="Arial,Helvetica"><b>Name:</b></font></a> </td><td> <b>SSLCertificateChainFile</b></td></tr>
<tr><td>
<font face="Arial,Helvetica"><b>Description:</b></font></a> </td><td> File of PEM-encoded Server CA Certificates</td></tr>
<tr><td><a
 href="../directive-dict.html#Syntax"
 rel="Help"
><font face="Arial,Helvetica"><b>Syntax:</b></font></a> </td><td> <code>SSLCertificateChainFile</code> <em>filename</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Default"
 rel="Help"
><font face="Arial,Helvetica"><b>Default:</b></font></a> </td><td> <em>None</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Context"
 rel="Help"
><font face="Arial,Helvetica"><b>Context:</b></font></a> </td><td> server config, virtual host</td></tr>
<tr><td><a
 href="../directive-dict.html#Override"
 rel="Help"
><font face="Arial,Helvetica"><b>Override:</b></font></a> </td><td> <em>Not applicable</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Status"
 rel="Help"
><font face="Arial,Helvetica"><b>Status:</b></font></a> </td><td> Extension</td></tr>
<tr><td><a
 href="../directive-dict.html#Module"
 rel="Help"
><font face="Arial,Helvetica"><b>Module:</b></font></a> </td><td> mod_ssl</td></tr>
<tr><td><a
 href="../directive-dict.html#Compatibility"
 rel="Help"
><font face="Arial,Helvetica"><b>Compatibility:</b></font></a> </td><td> mod_ssl 2.3.6 </td></tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p>
This directive sets the optional <em>all-in-one</em> file where you can
assemble the certificates of Certification Authorities (CA) which form the
certificate chain of the server certificate. This starts with the issuing CA
certificate of of the server certificate and can range up to the root CA
certificate. Such a file is simply the concatenation of the various
PEM-encoded CA Certificate files, usually in certificate chain order.
<p>
This should be used alternatively and/or additionally to <a
href="#SSLCACertificatePath">SSLCACertificatePath</a> for explicitly
constructing the server certificate chain which is sent to the browser in
addition to the server certificate. It is especially useful to avoid conflicts
with CA certificates when using client authentication. Because although
placing a CA certificate of the server certificate chain into <a
href="#SSLCACertificatePath">SSLCACertificatePath</a> has the same effect for
the certificate chain construction, it has the side-effect that client
certificates issued by this same CA certificate are also accepted on client
authentication. That's usually not one expect.
<p>
But be careful: Providing the certificate chain works only if you are using a
<i>single</i> (either RSA <i>or</i> DSA) based server certificate. If you are
using a coupled RSA+DSA certificate pair, this will work only if actually both
certificates use the <i>same</i> certificate chain. Else the browsers will be
confused in this situation.
<p>
Example:
<blockquote>
<pre>
SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt
</pre>
</blockquote>
<!-- SSLCACertificatePath ------------------------------------------->
<p>
<br>
<a name="SSLCACertificatePath"></a>
<h2><a name="ToC13">SSLCACertificatePath</a></h2>
<table cellspacing="0" cellpadding="1" bgcolor="#cccccc" border="0" summary="">
<tr>
<td>
<table bgcolor="white" width="600" cellspacing="0" cellpadding="5" border="0" summary="">
<tr>
<td>
<table cellspacing="0" cellpadding="1" border="0" summary="">
<tr><td>
<font face="Arial,Helvetica"><b>Name:</b></font></a> </td><td> <b>SSLCACertificatePath</b></td></tr>
<tr><td>
<font face="Arial,Helvetica"><b>Description:</b></font></a> </td><td> Directory of PEM-encoded CA Certificates for Client Auth.</td></tr>
<tr><td><a
 href="../directive-dict.html#Syntax"
 rel="Help"
><font face="Arial,Helvetica"><b>Syntax:</b></font></a> </td><td> <code>SSLCACertificatePath</code> <em>directory</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Default"
 rel="Help"
><font face="Arial,Helvetica"><b>Default:</b></font></a> </td><td> <em>None</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Context"
 rel="Help"
><font face="Arial,Helvetica"><b>Context:</b></font></a> </td><td> server config, virtual host</td></tr>
<tr><td><a
 href="../directive-dict.html#Override"
 rel="Help"
><font face="Arial,Helvetica"><b>Override:</b></font></a> </td><td> <em>Not applicable</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Status"
 rel="Help"
><font face="Arial,Helvetica"><b>Status:</b></font></a> </td><td> Extension</td></tr>
<tr><td><a
 href="../directive-dict.html#Module"
 rel="Help"
><font face="Arial,Helvetica"><b>Module:</b></font></a> </td><td> mod_ssl</td></tr>
<tr><td><a
 href="../directive-dict.html#Compatibility"
 rel="Help"
><font face="Arial,Helvetica"><b>Compatibility:</b></font></a> </td><td> mod_ssl 2.0 </td></tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p>
This directive sets the directory where you keep the Certificates of
Certification Authorities (CAs) whose clients you deal with. These are used to
verify the client certificate on Client Authentication.
<p>
The files in this directory have to be PEM-encoded and are accessed through
hash filenames. So usually you can't just place the Certificate files
there: you also have to create symbolic links named
<i>hash-value</i><tt>.N</tt>. And you should always make sure this directory
contains the appropriate symbolic links. Use the <code>Makefile</code> which
comes with mod_ssl to accomplish this task.
<p>
Example:
<blockquote>
<pre>
SSLCACertificatePath /usr/local/apache/conf/ssl.crt/
</pre>
</blockquote>
<!-- SSLCACertificateFile ------------------------------------------->
<p>
<br>
<a name="SSLCACertificateFile"></a>
<h2><a name="ToC14">SSLCACertificateFile</a></h2>
<table cellspacing="0" cellpadding="1" bgcolor="#cccccc" border="0" summary="">
<tr>
<td>
<table bgcolor="white" width="600" cellspacing="0" cellpadding="5" border="0" summary="">
<tr>
<td>
<table cellspacing="0" cellpadding="1" border="0" summary="">
<tr><td>
<font face="Arial,Helvetica"><b>Name:</b></font></a> </td><td> <b>SSLCACertificateFile</b></td></tr>
<tr><td>
<font face="Arial,Helvetica"><b>Description:</b></font></a> </td><td> File of concatenated PEM-encoded CA Certificates for Client Auth.</td></tr>
<tr><td><a
 href="../directive-dict.html#Syntax"
 rel="Help"
><font face="Arial,Helvetica"><b>Syntax:</b></font></a> </td><td> <code>SSLCACertificateFile</code> <em>filename</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Default"
 rel="Help"
><font face="Arial,Helvetica"><b>Default:</b></font></a> </td><td> <em>None</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Cont