From: Rich Bowen <rbowen@apache.org>
Date: Thu, 27 Oct 2011 13:25:07 +0000 (+0000)
Subject: Applies patch from Tomas Pospisek <tpo2 sourcepole ch> improving SSL FAQ on the topic... 
X-Git-Tag: 2.2.22~100
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=006b39cd529c9e8e6ece047791cb783e394dc629;p=thirdparty%2Fapache%2Fhttpd.git

Applies patch from Tomas Pospisek <tpo2 sourcepole ch> improving SSL FAQ on the topic of intermediate certs.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1189746 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/ssl/ssl_faq.html.en b/docs/manual/ssl/ssl_faq.html.en
index b9e9e530b10..c43f53a7588 100644
--- a/docs/manual/ssl/ssl_faq.html.en
+++ b/docs/manual/ssl/ssl_faq.html.en
@@ -276,7 +276,7 @@ Verisign, for installing my Verisign certificate?</a></li>
 <li><a href="#sgc">Can I use the Server Gated Cryptography (SGC)
 facility (aka Verisign Global ID) with mod_ssl?</a></li>
 <li><a href="#gid">Why do browsers complain that they cannot
-verify my Verisign Global ID server certificate?</a></li>
+verify my server certificate?</a></li>
 </ul>
 
 <h3><a name="keyscerts" id="keyscerts">What are RSA Private Keys, CSRs and Certificates?</a></h3>
@@ -628,15 +628,23 @@ facility (aka Verisign Global ID) with mod_ssl?</a></h3>
 
 
 <h3><a name="gid" id="gid">Why do browsers complain that they cannot 
-verify my Verisign Global ID server certificate?</a></h3>
-<p>Verisign uses an intermediate CA certificate between the root CA 
-    certificate (which is installed in the browsers) and the server 
-    certificate (which you installed on the server). You should have 
-    received this additional CA certificate from Verisign.
-    If not, complain to them. Then, configure this certificate with the
-    <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatechainfile">SSLCertificateChainFile</a></code> 
-    directive. This ensures that the intermediate CA certificate is 
-    sent to the browser, filling the gap in the certificate chain.</p>
+verify my server certificate?</a></h3>
+    <p>One reason this might happen is because your server certificate is signed
+    by an intermediate CA. Various CAs, such as Verisign or Thawte, have started
+    signing certificates not with their root certificate but with intermediate
+    certificates.</p>
+
+    <p>Intermediate CA certificates lie between the root CA certificate (which is
+    installed in the browsers) and the server certificate (which you installed
+    on the server). In order for the browser to be able to traverse and verify
+    the trust chain from the server certificate to the root certificate it
+    needs need to be given the intermediate certificates. The CAs should
+    be able to provide you such intermediate certificate packages that can be
+    installed on the server.</p>
+
+    <p>You need to include those intermediate certificates with the
+    <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatechainfile">SSLCertificateChainFile</a></code>
+    directive.</p>
 
 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="section">
diff --git a/docs/manual/ssl/ssl_faq.xml b/docs/manual/ssl/ssl_faq.xml
index 06834b834c6..30f5feceb54 100644
--- a/docs/manual/ssl/ssl_faq.xml
+++ b/docs/manual/ssl/ssl_faq.xml
@@ -283,7 +283,7 @@ Verisign, for installing my Verisign certificate?</a></li>
 <li><a href="#sgc">Can I use the Server Gated Cryptography (SGC)
 facility (aka Verisign Global ID) with mod_ssl?</a></li>
 <li><a href="#gid">Why do browsers complain that they cannot
-verify my Verisign Global ID server certificate?</a></li>
+verify my server certificate?</a></li>
 </ul>
 
 <section id="keyscerts"><title>What are RSA Private Keys, CSRs and Certificates?</title>
@@ -635,15 +635,23 @@ facility (aka Verisign Global ID) with mod_ssl?</title>
 </section>
 
 <section id="gid"><title>Why do browsers complain that they cannot 
-verify my Verisign Global ID server certificate?</title>
-<p>Verisign uses an intermediate CA certificate between the root CA 
-    certificate (which is installed in the browsers) and the server 
-    certificate (which you installed on the server). You should have 
-    received this additional CA certificate from Verisign.
-    If not, complain to them. Then, configure this certificate with the
-    <directive module="mod_ssl">SSLCertificateChainFile</directive> 
-    directive. This ensures that the intermediate CA certificate is 
-    sent to the browser, filling the gap in the certificate chain.</p>
+verify my server certificate?</title>
+    <p>One reason this might happen is because your server certificate is signed
+    by an intermediate CA. Various CAs, such as Verisign or Thawte, have started
+    signing certificates not with their root certificate but with intermediate
+    certificates.</p>
+
+    <p>Intermediate CA certificates lie between the root CA certificate (which is
+    installed in the browsers) and the server certificate (which you installed
+    on the server). In order for the browser to be able to traverse and verify
+    the trust chain from the server certificate to the root certificate it
+    needs need to be given the intermediate certificates. The CAs should
+    be able to provide you such intermediate certificate packages that can be
+    installed on the server.</p>
+
+    <p>You need to include those intermediate certificates with the
+    <directive module="mod_ssl">SSLCertificateChainFile</directive>
+    directive.</p>
 </section>
 </section>
 <!-- /certs -->