Does Apache needs to know about intermediate certificates for client authentication?
When a client authenticates a server, the server will send the chain that is defined in SSLCertificateChainFile
, which is your responsibility as server admin. So when the client identifies itself, it is also responsible for sending the whole chain. Apache needs only to know about the CA certificate, which you define in SSLCACertificateFile
. You may at your discretion also define chains here, which will make Apache more lenient towards clients not sending chains themselves.
When you sign certificates for users, make sure that the user is provided with the correct chain. Your user can construct a .p12 using the following OpenSSL command:
openssl pkcs12 -export -in ${SIGNED_CERT} -inkey ${PRIVATE_KEY} \
-name ${USERNAME} -out ${OUTPUT_P12} -certfile ${PROVIDED_CHAIN}