I have Apache 2.4 (win32) and have the following in my CA bundle.
Root 1
Subordinate 1
Subordinate 2
My server was signed off Subordinate 1, When I do openssl s_client -connect server:443, it shows both Subordinate 1 and Subordinate 2 in the acceptable CA names.
If I remove Subordinate 2 from the bundle, It only shows Subordinate 1 as a acceptable CA. However, if I remove Subordinate 1, it still shows as an acceptable CA.
It seems httpd references not only cabundle/cafiles but also certs in the Chain file. as acceptable CAs.
Is it possible to prevent a user signed off Subordinate 1 from using client certificate authentication while the server cert is issued off Subordinate 1?