View Issue Details

IDProjectCategoryView StatusLast Update
0001517Main CAcert Websitewebsite contentpublic2021-05-11 19:30
Reporterjandd Assigned Toegal  
Status solved?Resolutionfixed 
PlatformMain CAcert WebsiteOSN/AOS Versionstable
Summary0001517: Rewrite Rules for new class3 certificate
DescriptionThe new class3 certificate that has been issued on Monday 2021-04-19 contains the following URLs that need to be mapped on the main website:

CA Issuers:

The first URL should be mapped to and the certificate itself should be made available as

Please add the following RewriteRule in the https VirtualHost:

Rewrite "^/class3.crl$" "/class3-revoke.crl" [PT]

Please put the certificate cacert_2021.crt as class3_2021.crt into the $DOCUMENT_ROOT/certs folder and add the following RewriteRule in the http VirtualHost

Rewrite "^/class3.crt$" "/certs/class3_2021.crt" [PT]
TagsNo tags attached.
Reviewed byegal, Ted
Test Instructions



2021-04-25 11:18

administrator   ~0005988

Last edited: 2021-04-25 11:18

Tested in my test environment, Review successful


2021-05-09 10:03

administrator   ~0005995

Last edited: 2021-05-09 18:55

Hmm, this is a pure config change, so maybe Software Development is (IMHO) not the ideal department to review it... But as we don't have any alternatives I'd agree that a review by Software Development is better than none.

I have not evaluated the necessities of this change, but Jan's proposals sound plausible.

I did not find a "Rewrite" directive in the Apache documentation at , so I have nothing to review this proposal against. In this context, the review is a FAIL.

Assuming that I did overlook something and "Rewrite" is indeed some alias or abbreveation for the directive "RewriteRule", the rules are sensible, including the [PT] ("Passthrough") flag. For clarity it might be better to explicitly add the L ("last") flag, which is implied by [PT], so I'd propose to make it "[L,PT]" instead. But I don't consider this as critical.

Evaluation of the flags was based on Apache's documentation at


2021-05-10 17:03

administrator   ~0005998

Last edited: 2021-05-10 17:04

The following rules are already active on to redirect CRL-requests:

  Redirect permanent /revoke.crl
  Redirect permanent /class3-revoke.crl

So we could avoid adding new redirection for CRL and/or CSR and simply use the existing ones.

But ... we shouldn't forget to change to link to the new certificate


2021-05-11 07:04

administrator   ~0006000

@egal the existing ones do not cover the URLs mentioned in the new class3 certificate

CA Issuers:

We need to make the CRL and certificate available at these places to allow validation by clients that use these certificate fields for discovery.

@Ted you are right. It should be RewriteRule instead of Rewrite and [L,PT] is a good idea indeed


2021-05-11 07:11

administrator   ~0006001

So, for the "RewriteRule" directive this is a PASS from me.


2021-05-11 08:33

administrator   ~0006002

No objection from my site


2021-05-11 19:29

administrator   ~0006003

Last edited: 2021-05-11 19:30


  RewriteRule "^/class3.crl$" "/class3-revoke.crl" [L,PT]
  RewriteRule "^/class3.crt$" "/certs/class3_2021.crt" [PT]

to all VirtualHosts in cacert.conf (after making a backup of original file).

Installed resigned class3-certificate as


Restarted Apache and verified downloads (successfully)

Issue History

Date Modified Username Field Change
2021-04-21 20:25 jandd New Issue
2021-04-21 20:25 jandd Assigned To => egal
2021-04-25 11:18 egal Status new => needs review & testing
2021-04-25 11:18 egal Reviewed by => egal
2021-04-25 11:18 egal Note Added: 0005988
2021-04-25 11:18 egal Note Edited: 0005988
2021-05-09 10:03 Ted Note Added: 0005995
2021-05-09 11:15 Ted Note Edited: 0005995
2021-05-09 18:55 Ted Note Edited: 0005995
2021-05-09 18:55 Ted Note Edited: 0005995
2021-05-10 17:03 egal Note Added: 0005998
2021-05-10 17:04 egal Note Edited: 0005998
2021-05-11 07:04 jandd Note Added: 0006000
2021-05-11 07:11 Ted Note Added: 0006001
2021-05-11 07:11 Ted Reviewed by egal => egal, Ted
2021-05-11 08:33 egal Note Added: 0006002
2021-05-11 08:33 egal Status needs review & testing => ready to deploy
2021-05-11 19:29 egal Status ready to deploy => solved?
2021-05-11 19:29 egal Resolution open => fixed
2021-05-11 19:29 egal Note Added: 0006003
2021-05-11 19:30 egal Note Edited: 0006003