[Mod_nss-list] Fwd: NSS Initialisation and virtual hosts

[Rob Crittenden]

Oliver Graute wrote:
> On Wed, Sep 7, 2016 at 6:24 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>> Oliver Graute wrote:
>>>
>>> Hello,
>>>
>>> in our project we tried to use two Virtual Hosts with two different
>>> Certificate Chains in two NSS databases. One for local and one for
>>> remote connections.
>>>
>>> After a bit of debuging it seems that this setup is not possible, because
>>> NSS
>>> _Init is only called once and not called twice for every vhost entry.
>>>
>>> There is allready a Bug 1256527 concerning this issue:
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1256527
>>>
>>> Whats needs to be done to fix this Limitation? So how hard can it be to
>>> fix this?
>>
>>
>> I haven't scoped it yet so I can't really say how difficult it will be.
>>
>>> What alternatives we have to get two certificate chains working with nss?
>>>
>>> we thought that a alternative could be to start to seperated Apache
>>> instances
>>> is this an approach to go? or do we get in trouble with nss lib to?
>>
>>
>> I don't see why you can't have two server certificates and chains in the
>> same NSS database as long as the subjects are unique. Is that not working
>> for you?
>>
>
> The problem is that we have an requirement for an PKI with a Root CA
> with seperate Sub CA for LAN (local) and Sub CA for WAN (remote) which
> will build up two separte chains . An certificate that is verified by
> one chain shall not be verified by the other chain.

I don't see one validating the other but I understand that your goal is 
separation.

I don't believe there is a way to do this today.

rob