Virtualmin confusing server chain certificates with client CA certs?

1 post / 0 new
#1 Fri, 12/05/2014 - 05:48
endertech_rolmos

Virtualmin confusing server chain certificates with client CA certs?

In a few instances I've discovered that Virtualmin appears to be confusing chain certificates with CA certificates unless my understanding is mistaken. For example, in Server Configuration > Manage SSL Certificate there's a tab for a CA certificate. Within the tab it explains that it's for helping client such as web browsers trust the leaf cert via intermediate certs.

Technically the CA certificate in this case is a chain cert. However, beyond the semantics, the configuration changes are using CA-related directives instead of a chain cert. The effect of these directives is for client certs and not specifically chain certs.

For example, in Apache the chain cert is specified using the SSLCACertificate directive instead of SSLChainCertificate. In Postfix it uses the smtpd_tls_CAfile directive instead of a single certificate file with the chain included.

For Apache: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile says "These are used for Client Authentication" by default it's commented out so no client certs validate.

For Postfix: http://www.postfix.org/postconf.5.html#smtpd_tls_CAfile says "By default (see smtpd_tls_ask_ccert), client certificates are not requested, and smtpd_tls_CAfile should remain empty." additionally "but it is best to include all the required certificates directly in the server certificate file." (as their TLS_README shows.

Is my understanding of this correct that the chain certs should not be using the CA-related directives and the CA certificate tab within Virtualmin be updated?

Thanks