2.3.150 SSLExportCertChainDepth
SSLExportCertChainDepth specifies the depth of the certificate chain, when certificates (from those from the CA that issued the client certificate, to those from the root CA) are to be set to the environment variables SSL_CLIENT_CERT_CHAIN_n.
Description
When SSL client authentication is used, SSLExportCertChainDepth specifies the depth of the certificate chain, when certificates (from those from the CA that issued the client certificate, to those from the root CA) are to be set for the environment variables SSL_CLIENT_CERT_CHAIN_n. The specified value becomes the maximum value of n. This directive is enabled only if the SSLExportClientCertificates directive is specified. Because the value specified in this directive will be the number of CA certificates that are cached on the gcache server, you can use the cache more efficiently if you specify the number of CA certificates that are necessary for CGI programs and servlets. Note, however, that if some of the certificates that were cached because of memory restrictions have been deleted and can no longer be acquired, only the certificates that can be acquired will be set in the environment variables.
Syntax
SSLExportCertChainDepth value
Specifiable values
- 0
-
Does not set the environment variables.
- 1 to 9
-
Assigns certificates to the environment variables in order from the certificate closest to the client certificate. The values derived by changing DER-format certificates to Base64-encoding are set for the environment variables. The size of a certificate encoded in Base64 is approximately 1 KB.
Locations where it can be written
httpsd.conf and <VirtualHost>
Example
- For a certificate chain consisting of "root CA-lower CA-client certificate"
-
The following table shows the correlation between the environment variables and certificates:
Environment variable
Certificate
SSL_CLIENT_CERT
Client certificate
SSL_CLIENT_CERT_CHAIN_1
Lower CA certificate
SSL_CLIENT_CERT_CHAIN_2
Root CA certificate
To obtain all environment variables and certificate chains, specify the directive as follows:
SSLExportClientCertificates SSLExportCertChainDepth 2
For SSLExportCertChainDepth, specify 2 or a greater value.