On Wed, May 17 2017 at 11:19:48 +0200, Ulrich Windl scribbled in "Antw: Re: TLSCACertificateFile directive and multiple CA certificates":
Dameon Wagner dameon.wagner@it.ox.ac.uk schrieb am 17.05.2017 um 10:34 in
<SNIP>
I just realized one important point abound my setup: Both CA certificate have the same DN. Other that that they are completely different certificate (different key, expiry date). Both CA certificate are valid (not expired).
Depending on how you're testing things, the duplicate DN may well be the _an_ issue, but possibly not a real issue...
I think the duplicate DN is a problem, because the DN (subject) is used to find a matching certificate. Then if that seems valid (regarding expiration dates), it'll be used. And I think to search is terminated here.
Indeed, it's definitely a problem, but I think the main problem is a misunderstanding about what the TLSCACertificateFile directive is for (and what Alex wants to achieve in using it).
From a PKI point of view there's no problem with this algorithm, right?
I don't think so. The documentation is clear that order doesn't matter in the file pointed at by TLSCACertificateFile, but that mostly refers to not having to apply the certificate chain in order of descent, rather than any order of priority -- so long as the chain can be traversed without gaps using the certificates concatenated in the file, it should be happy.
(I won't comment on how carefully pedantic sysadmins like myself craft our chain files :)
Cheers.
Dameon.