Combine Let's Encrypt Certificate with Self-Signed CA

Hi there,

I am trying to do a setup and I am not sure if it is possible at all but if not I was surprised.
It was already confirmed in other threads that Let's Encrypt certificates can NOT be used for client authentication. It is not 100 percent true because actually you can just install your actual server certificate on the client to make it working, but since the latter can just be downloaded from the browser as HTTPS certificate it would not make much sense.

What I am trying to do now is having a Virtual Host configuration in Apache HTTPD where I am using the Let's Encrypt certificate for HTTPS access in browser and a self-signed cert from a self signed CA for Client authentication.

I seem to struggle with the SSL config at all.
Please see the SSL part for my virtual host:

SSLCertificateFile /etc/apache2/certs/letsencrypt.crt
SSLCertificateKeyFile /etc/apache2/certs/letsencrypt.key

SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/apache2/certs/isrgrootx1.pem #This is the Root cert of Let's Encrypt but I wish to use a self signed here....

The thing is that apparently the SSLCACertificateFile directive has to be compatible with the other two directives SSLCertificateFile and SSLCertificateKeyFile. So for me this means I can not combine different certificate authorities each for HTTPS and Client Certificate.

Am I missing something? Any insights will be appreciated.
Thanks so much!


Well, they can just fine (they do have Client Authentication enabled), but there are reasons that it may not be what you want to do, sure.

Sure, that sounds like a good approach.

I don't know why you think that? SSLCACertificateFile is just for the client authentication, and SSLCertificateFile/SSLCertificateKeyFile is just for the server authentication, as far as I can tell. (I haven't configured Apache for client authentication myself, but I don't think it does anything weird in terms of configuring it.) What problem exactly are you running into?


AFAIK client authentication also requires the certificates corresponding private key? So just downloading the cert wouldn't suffice.

That said, I also believe using a private CA for client authentication is the way to go.

As far as I know, this is not the case. In fact, often the SSLCACertificateFile directive is mistakenly used as part of the server HTTPS part of TLS.

Please see SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.4 for more info about client authentication in Apache.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.