httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jose Correia (J)" <Corr...@telkom.co.za>
Subject [users@httpd] apache and client certificates
Date Tue, 17 Sep 2002 13:43:14 GMT
Hi all

Is anyone aware of Apache version 1.3.20 having problems with client
authentication??

I've created my own CA created using openssl (vs 0.9.6a). I then
created and signed my server certificate with the CA using openssl.
(apache is on a RH Linux 6.2 machine)

I then created a client public key using Java's keytool (from my
Win2000 client machine). I then took this key and signed it with my CA
using openssl which I duly converted into DER format. I then imported
my CA's certificate in my JSSE keystore plus the now created client
certificate which replaces the previous public key.

In my Apache I mention these:
SSLCertificateFile /jose/CA2/server.crt
SSLCertificateKeyFile /jose/CA2/server.key
SSLCACertificateFile /jose/CA2/demoCA/cacert.pem
SSLVerifyClient require
SSLVerifyDepth  10

When I connect, I'm getting the following on ssl_engine.log

"[17/Sep/2002 15:20:22 28388] [error] SSL handshake failed (server
155.239.48.43:443, client 165.148.59.202) (OpenSSL library error
follows)
[17/Sep/2002 15:20:22 28388] [error] OpenSSL: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown"

and from my Java client I'm getting:

"main, SEND SSL v3.1 ALERT:  fatal, description = certificate_unknown
main, WRITE:  SSL v3.1 Alert, length = 2
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated"

Hence my confusion since I know my client certificate was signed by
the CA mentioned in apache httpd.conf... :-(

Anyone got a clue? I've searched extensevily...

Thanks a lot
Jose Correia


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message