In response to a certificate signing request, a certification authority sent a web server certificate along with the certificate of an intermediate certification authority that signed the web server certificate. What should be done with the intermediate certificate in order to use the web server certificate with Apache HTTPD?
A. The intermediate certificate should be merged with the web server's certificate into one file that is specified in SSLCertificateFile
B. The intermediate certificate should be used to verify the certificate before its deployment on the web server and can be deleted
C. The intermediate certificate should be stored in its own file which is referenced in SSLCACertificateFile
D. The intermediate certificate should be improved into the certificate store of the web browser used to test the correct operation of the web server
E. The intermediate certificate should be archived and resent to the certification authority in order to request a renewal of the certificate
題解
所謂的「certification authority」即CA,CA可能會有很多層,最上層的稱為「Root CA」,其餘的稱為「Intermediate CA」。將這些CA按照從下到上的順序串起來,稱為「SSL Certificate Chain」將Cert(server certificate)和SSL Certificate Chain串起來,稱為「Full Certificate Chain」。
在Apache的設定檔中,「SSLCertificateKeyFile」用來指定Key檔案的位置,「SSLCertificateFile」用來指定Cert(server certificate)檔案的位置。Apache在2.4.8版本之前,「SSLCertificateFile」用來指定Cert檔案的位置,「SSLCertificateChainFile」用來指定SSL Certificate Chain的檔案位置。Apache在2.4.8版本之後,「SSLCertificateFile」可直接用來指定Full Certificate Chain檔案的位置。
所以選項「A」是正確答案。
至於「SSLCACertificateFile」,它也可以用來指定「SSL Certificate Chain」檔案,只不過它應該要用在非公開的CA(用於發行自行簽署的SSL憑證)上。然而這題題目沒有描述地很清楚,所以選項「C」也可以是正確答案。