mod_ssl SSLCACertificatePath Proper Usage or What is the Best way to Handle Multiple Acceptable Client Certificate CAs

I am attempting to use the mod_proxy SSLCACertificatePath directive, but I'm a tad bit confused on how to use it properly.

Here are two links explaining the SSLCACertificatePath directive:
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcacertificatepath
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC13

I'm not positive on how to create the hashed symbolic links. The second link states to use the apache make file, but I'm quite clueless on what is exactly being said there.

Any friendly guidance would be greatly appreciated.

Thank you for your time.

UPDATE

The goal of my question was to figure out how to handle multiple CAs for validating end user Client Certificates. I didn't realize that multiple pem certificates could be using in one file, which, in my case is clearly the right way to move forward.


If you are unclear on how to make the hash-named symlinks my suggestion is not to use CACertificatePath, but rather to use CACertificateFile instead. (Actually this is my suggestion in general: properly maintaining a CACertificateFile may be slightly more work if you have lots of CA certificates that change often, but you probably shouldn't have lots of CA Certificates, and they shouldn't change much anyway...) In addition it appears that the Makefile referenced has disappeared from Apache's distribution tarballs (and the general lack of public outcry may indicate how many people are using the "path" method of storing certificates :).

All that said, if you still want to do this you can proceed per what DerfK said (either get the old Makefile, or write your own script/makefile that runs openssl x509 -noout -hash against all your certificate files and creates appropriately-named symbolic links).


I found an open bug regarding this. Other than downloading the old modssl.org release referred to in the bug and getting the Makefile from it, it seems you can get the value of the hash from openssl x509 -in foo.crt -noout -hash though it's not clear what the ".N" part refers to (perhaps this was for hash collisions (eg first cert with hash 12345678 has a symlink 12345678.1 pointing to it, second cert that has the same hash uses .2? Or maybe it starts with .0?)

If you get the Makefile.crt file from the old modssl, I believe what you would do is drop it in the folder with all your certificates, then run make -f Makefile.crt in that folder.