Root CA Trust

The chain's root certificate is checked for trustworthiness: it must be a CA certificate (CA:TRUE in extensions), and it must be trusted locally (i.e. be listed in sslcacertificatefile or SSL CA Certificate File). Note that this means that if the peer certificate is self-signed (and thus a root certificate itself), it must also be a CA certificate; however, CA certificates are typically not used as server certificates and may cause a warning at server startup.

If the peer chain's root certificate is not trusted, the "Cannot verify certificate ..." reason that results is usually "self signed certificate in certificate chain".


Copyright © Thunderstone Software     Last updated: Oct 24 2023
Copyright © 2024 Thunderstone Software LLC. All rights reserved.