问题描述

我在Web服务器上提供SSL页面，并且有一个问题.SSLCACertificateFile和SSLCertificateChainFile有什么区别?

I provide SSL pages on my web server, and I have a question.What is the difference between SSLCACertificateFile and SSLCertificateChainFile?

当我使用SSLCertificateChainFile时，我从日语手机浏览器收到警告，但是当我使用PC浏览器(如IE，FF)时，没有问题.另一方面，SSLCACertificateFile不会对两个浏览器造成任何问题.

When I use SSLCertificateChainFile, I got warnings from Japanese cellular phone browser, but when I use PC browser(like IE, FF), there was no problem.On the other hand, SSLCACertificateFile didn't cause any problem for both browsers.

浏览器连接到apache时有什么区别吗?

Is there any difference when browsers connect to apache?

推荐答案

SSLCertificateChainFile是一个正确的选择，但此指令已成为从Apache 2.4.8起已过时.此指令导致列出的文件与证书一起发送到所有连接的客户端.

SSLCertificateChainFile was a correct option to choose but this directive became obsolete as of Apache 2.4.8. This directive caused the listed file to be sent along with the certificate to any clients that connect.

SSLCACertificateFile (以下简称"CACert")取代了SSLCertificateChainFile( (以下简称链")，并另外允许使用相关证书来签署客户证书.这种身份验证非常罕见(至少目前是这样)，如果您不使用它，恕我直言，没有理由通过使用CACert而不是Chain来增强其功能.另一方面，有人可能会说附加功能没有危害，并且CACert涵盖了所有情况.这两个参数都有效.

SSLCACertificateFile (hereafter "CACert") supersedes SSLCertificateChainFile (hereafter "Chain"), and additionally permits the use of the cert in question to sign client certificates. This sort of authentication is quite rare (at least for the moment), and if you aren't using it, there's IMHO no reason to augment its functionality by using CACert instead of Chain. On the flipside, one could argue that there's no harm in the additional functionality, and CACert covers all cases. Both arguments are valid.

不用说，如果您要求证书供应商，他们将始终推动CACert over Chain，因为这会给他们另外一件事(客户证书)，他们有可能将您直接出售给您. ;)

Needless to say, if you ask the cert vendor, they'll always push for CACert over Chain, since it gives them another thing (client certs) that they can potentially sell you down the line. ;)

这篇关于SSLCACertificateFile和SSLCertificateChainFile之间的区别的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！