Get the CA Certificate

The “Client Certificate” we have just acquired only has value if it is issued by some responsible and respectable party. To prove that this is so, we need a CA certificate establishing that Thawte was the party in question. Since this is important, you might think that the process would be easy, but for some bashful reason both Thawte and Verisign make their CA certificates pretty hard to find. From the home page at http://www.thawte.com you click on ResourceCentre.In Developer’s Corner you find some text with a link to roottrustmap.When you go there you find a table of various roots. The one we need is PersonalFreemail.When you click on it, you get to download a file called persfree.crt.

We downloaded it to /usr/www/APACHE3/ca_cert — well above the Apache root. We added the line:

SSLCACertificateFile /usr/www/APACHE3/ca_cert/persfree.crt

Apache loaded, but the error_log had the line:

...
[<date>][error] mod_ssl: Init: (sales.butterthlies.com:443) Unable to configure 
verify locations for client authentication

which suggested that everything was not well. The problem is that the Thawte certificate is in what is known (somewhat misleadingly) as DER format, whereas it needs to be in what is known (even more misleadingly) as PEM format. The former is just a straight binary dump; the latter base64 encoded with some wrapping. To convert from one to the other:

openssl x509 -in persfree.crt -inform DER -out persfree2.crt

This time, when we started Apache (having altered ...

Get Apache: The Definitive Guide, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.