Merging tlscertfile and tlscafile to only one TLS certificate

Russ Allbery eagle at
Wed Sep 8 22:53:37 UTC 2021

Julien ÉLIE <julien at> writes:

> A ticket has recently been opened regarding the use of tlscertfile and
> tlscafile.  (Looks like it is easier to contact us via Github than Trac!)

> Currently, we have 2 files to deal with TLS certificates:
>  - tlscertfile, from which INN loads only one certificate (the first);
>  - tlscafile, from which INN loads all intermediary certificates.

> Another possibility would be to only have 1 parameter, pointing to a file
> containing the whole chain.

There are some mechanisms for obtaining certs where this separation is the
most natural, and others where it's the most natural to have the full
chain back to a CA in one file.  Back when it was typical to buy a
commercial certificate, sometimes the result of that signing process would
be only the signed server certificate and to have a separate chain file
that you had to download that had the intermediate certs.

(BTW, tlscafile is kind of a misnomer.  It's essentially useless to have
the actual CA certificate around, since the client has to provide it
anyway.  It contains all the certificates leading back to, but not
including, the CA, although I think it's harmless to put the CA in there
as well.)

I think we should support loading all the certificates in tlscertfile, and
then, if tlscafile exists, add the certificates from it.  That should give
us the best of both worlds: existing usage will still work, but people can
migrate to putting the whole chain in tlscertfile.  And then if we choose
we can deprecate tlscafile, similar to how Apache has deprecated
SSLCertificateChainFile, which is the equivalent of our current scheme.

Russ Allbery (eagle at             <>

    Please send questions to the list rather than mailing me directly.
     <> explains why.

More information about the inn-workers mailing list