Merging tlscertfile and tlscafile to only one TLS certificate

Julien ÉLIE julien at
Wed Sep 8 20:47:25 UTC 2021

Hi all,

A ticket has recently been opened regarding the use of tlscertfile and 
tlscafile.  (Looks like it is easier to contact us via Github than Trac!)

Currently, we have 2 files to deal with TLS certificates:
  - tlscertfile, from which INN loads only one certificate (the first);
  - tlscafile, from which INN loads all intermediary certificates.

Another possibility would be to only have 1 parameter, pointing to a 
file containing the whole chain.

I see in the inn.conf documentation:
"Note that unlike Apache's SSLCertificateFile directive, tlscertfile 
should not contain a concatenation of certificates.  Instead, if you 
have a certificate authority root certificate, set tlscafile to its path."

Wouldn't it be better to do the same thing as Apache?  Is there a reason 
for separating the certificates?  (In case there is one global CA file 
for the news server shared with several applications, it might make 
sense to have it elsewhere so maybe that is the reason, though it seems 
confusing to people.)

Julien ÉLIE

« Quae longo tempore extenuentur corpora, lente reficere oportet. »

More information about the inn-workers mailing list