Certificate?</a></li>
<li><a href="#badcert">Why do connections fail with an "alert bad
certificate" error?</a></li>
-<li><a href="#keysize">Why does my 2048-bit private key not work?</a></li>
-<li><a href="#hashsymlinks">Why is client authentication broken after
-upgrading from SSLeay version 0.8 to 0.9?</a></li>
<li><a href="#pemder">How can I convert a certificate from PEM to DER
format?</a></li>
-<li><a href="#verisign">Why can't I find the
-<code>getca</code> or <code>getverisign</code> programs mentioned by
-Verisign, for installing my Verisign certificate?</a></li>
-<li><a href="#sgc">Can I use the Server Gated Cryptography (SGC)
-facility (aka Verisign Global ID) with mod_ssl?</a></li>
<li><a href="#gid">Why do browsers complain that they cannot
verify my Verisign Global ID server certificate?</a></li>
</ul>
unable to handle RSA key lengths not equal to 1024 bits.</p>
-<h3><a name="keysize" id="keysize">Why does my 2048-bit private key not work?</a></h3>
-<p>The private key sizes for SSL must be either 512 or 1024 bits, for compatibility
- with certain web browsers. A keysize of 1024 bits is recommended because
- keys larger than 1024 bits are incompatible with some versions of Netscape
- Navigator and Microsoft Internet Explorer, and with other browsers that
- use RSA's BSAFE cryptography toolkit.</p>
-
-
-<h3><a name="hashsymlinks" id="hashsymlinks">Why is client authentication broken after upgrading from
-SSLeay version 0.8 to 0.9?</a></h3>
-<p>The CA certificates under the path you configured with
- <code>SSLCACertificatePath</code> are found by SSLeay through hash
- symlinks. These hash values are generated by the `<code>openssl x509 -noout
- -hash</code>' command. However, the algorithm used to calculate the hash for a
- certificate changed between SSLeay 0.8 and 0.9. You will need to remove
- all old hash symlinks and create new ones after upgrading. Use the
- <code>Makefile</code> provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p>
-
-
<h3><a name="pemder" id="pemder">How can I convert a certificate from PEM to DER format?</a></h3>
<p>The default certificate format for SSLeay/OpenSSL is PEM, which is simply
Base64 encoded DER, with header and footer lines. For some applications
<code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p>
-<h3><a name="verisign" id="verisign">Why can't I find the
-<code>getca</code> or <code>getverisign</code> programs mentioned by
-Verisign, for installing my Verisign certificate?</a></h3>
-<p>Verisign has never provided specific instructions
- for Apache+mod_ssl. The instructions provided are for C2Net's
- Stronghold (a commercial Apache based server with SSL support).</p>
- <p>To install your certificate, all you need to do is to save the
- certificate to a file, and give the name of that file to the
- <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatefile">SSLCertificateFile</a></code> directive.
- You will also need to give it the key file. For more information,
- see the <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>
- directive.</p>
-
-
-<h3><a name="sgc" id="sgc">Can I use the Server Gated Cryptography (SGC)
-facility (aka Verisign Global ID) with mod_ssl?</a></h3>
-<p>Yes. <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> has included support for the SGC
- facility since version 2.1. No special configuration is required -
- just use the Global ID as your server certificate. The
- <em>step up</em> of the clients is then automatically handled by
- <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> at run-time.</p>
-
-
<h3><a name="gid" id="gid">Why do browsers complain that they cannot
verify my Verisign Global ID server certificate?</a></h3>
<p>Verisign uses an intermediate CA certificate between the root CA
Apache has to know the <code>Host</code> HTTP header field. To do this, the
HTTP request header has to be read. This cannot be done before the SSL
handshake is finished, but the information is needed in order to
- complete the SSL handshake phase. Bingo!</p>
+ complete the SSL handshake phase. See the next question for how to
+ circumvent this issue.</p>
<h3><a name="vhosts2" id="vhosts2">Is it possible to use Name-Based
Certificate?</a></li>
<li><a href="#badcert">Why do connections fail with an "alert bad
certificate" error?</a></li>
-<li><a href="#keysize">Why does my 2048-bit private key not work?</a></li>
-<li><a href="#hashsymlinks">Why is client authentication broken after
-upgrading from SSLeay version 0.8 to 0.9?</a></li>
<li><a href="#pemder">How can I convert a certificate from PEM to DER
format?</a></li>
-<li><a href="#verisign">Why can't I find the
-<code>getca</code> or <code>getverisign</code> programs mentioned by
-Verisign, for installing my Verisign certificate?</a></li>
-<li><a href="#sgc">Can I use the Server Gated Cryptography (SGC)
-facility (aka Verisign Global ID) with mod_ssl?</a></li>
<li><a href="#gid">Why do browsers complain that they cannot
verify my Verisign Global ID server certificate?</a></li>
</ul>
unable to handle RSA key lengths not equal to 1024 bits.</p>
</section>
-<section id="keysize"><title>Why does my 2048-bit private key not work?</title>
-<p>The private key sizes for SSL must be either 512 or 1024 bits, for compatibility
- with certain web browsers. A keysize of 1024 bits is recommended because
- keys larger than 1024 bits are incompatible with some versions of Netscape
- Navigator and Microsoft Internet Explorer, and with other browsers that
- use RSA's BSAFE cryptography toolkit.</p>
-</section>
-
-<section id="hashsymlinks"><title>Why is client authentication broken after upgrading from
-SSLeay version 0.8 to 0.9?</title>
-<p>The CA certificates under the path you configured with
- <code>SSLCACertificatePath</code> are found by SSLeay through hash
- symlinks. These hash values are generated by the `<code>openssl x509 -noout
- -hash</code>' command. However, the algorithm used to calculate the hash for a
- certificate changed between SSLeay 0.8 and 0.9. You will need to remove
- all old hash symlinks and create new ones after upgrading. Use the
- <code>Makefile</code> provided by <module>mod_ssl</module>.</p>
-</section>
-
<section id="pemder"><title>How can I convert a certificate from PEM to DER format?</title>
<p>The default certificate format for SSLeay/OpenSSL is PEM, which is simply
Base64 encoded DER, with header and footer lines. For some applications
<code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p>
</section>
-<section id="verisign"><title>Why can't I find the
-<code>getca</code> or <code>getverisign</code> programs mentioned by
-Verisign, for installing my Verisign certificate?</title>
-<p>Verisign has never provided specific instructions
- for Apache+mod_ssl. The instructions provided are for C2Net's
- Stronghold (a commercial Apache based server with SSL support).</p>
- <p>To install your certificate, all you need to do is to save the
- certificate to a file, and give the name of that file to the
- <directive module="mod_ssl">SSLCertificateFile</directive> directive.
- You will also need to give it the key file. For more information,
- see the <directive module="mod_ssl">SSLCertificateKeyFile</directive>
- directive.</p>
-</section>
-
-<section id="sgc"><title>Can I use the Server Gated Cryptography (SGC)
-facility (aka Verisign Global ID) with mod_ssl?</title>
-<p>Yes. <module>mod_ssl</module> has included support for the SGC
- facility since version 2.1. No special configuration is required -
- just use the Global ID as your server certificate. The
- <em>step up</em> of the clients is then automatically handled by
- <module>mod_ssl</module> at run-time.</p>
-</section>
-
<section id="gid"><title>Why do browsers complain that they cannot
verify my Verisign Global ID server certificate?</title>
<p>Verisign uses an intermediate CA certificate between the root CA
Apache has to know the <code>Host</code> HTTP header field. To do this, the
HTTP request header has to be read. This cannot be done before the SSL
handshake is finished, but the information is needed in order to
- complete the SSL handshake phase. Bingo!</p>
+ complete the SSL handshake phase. See the next question for how to
+ circumvent this issue.</p>
</section>
<section id="vhosts2"><title>Is it possible to use Name-Based
projects / apache / commitdiff