66474 – mod_ssl SSLCertificate[Key]File Directives description unclear regarding combined public/private files

Bug 66474 - mod_ssl SSLCertificate[Key]File Directives description unclear regarding combined public/private files

Summary: mod_ssl SSLCertificate[Key]File Directives description unclear regarding comb...

Status:	NEW

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	Documentation (show other bugs)
Version:	2.5-HEAD
Hardware:	All All

Importance:	P2 enhancement (vote)
Target Milestone:	---
Assignee:	HTTP Server Documentation List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-02-10 22:48 UTC by Philippe Cloutier
Modified:	2023-02-10 22:48 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philippe Cloutier 2023-02-10 22:48:25 UTC

The documentation of mod_ssl's SSLCertificateFile Directive contains the following paragraph:
Finally the end-entity certificate's private key can also be added to the certificate file instead of using a separate SSLCertificateKeyFile directive. This practice is highly discouraged. If it is used, the certificate files using such an embedded key must be configured after the certificates using a separate key file. If the private key is encrypted, the pass phrase dialog is forced at startup time.

SSLCertificateKeyFile's contains a similar paragraph:
The private key may also be combined with the certificate in the file given by SSLCertificateFile, but this practice is highly discouraged. If it is used, the certificate files using such an embedded key must be configured after the certificates using a separate key file.

These paragraphs are both unclear about the reason why the mentioned practice is highly discouraged. According to what Lucien Gentis wrote in ticket #66384, the constraint mentioned is that directives cannot be freely ordered when such directives are used.

Please clarify the constraint and explain why the practice is discouraged. I suggest to replace SSLCertificateKeyFile's paragraph with:
The private key may also be combined with the certificate in the file given by SSLCertificateFile, but this practice is highly discouraged. If it is used, the directives with certificate files using such an embedded key must follow directives with certificates using a separate key file.