httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kko <kark...@karkomaonline.com>
Subject Re: [users@httpd] Please help with certificates
Date Mon, 10 Nov 2003 13:26:51 GMT
On Mon, 2003-11-10 at 08:58, Ivan Venuti wrote:
> Hi,
> 
> I'm using Apache + mod_ssl.
> In order to retrieve a user certificate (from a smart card) I've these files
> in the server:
> 
> 	1) server_webtest.p12

Why did you create a p12 for your server? This format is typically used
by your client (i.e browser)

> 	2) ca.cer (DER format)

I assume this is the file containing CA certs, right?

> 
> after I have trasformed them with openssl:
> 
> 	$ openssl pkcs12 -in server_webtest.p12 -out hostkey.pem -nodes -nocerts
> 	$ openssl pkcs12 -in server_webtest.p12 -out hostcert.pem -nodes -nokeys

See below...

> 
> and
> 
> 	$ openssl x509 -inform DER -in ca.cer -outform PEM -out ca.crt
> 
> I have modified the conf/httpd.conf file with:
> 
> 	SSLCertificateFile /home/caribel/certs/hostcert.pem
> 	SSLCertificateKeyFile /home/caribel/certs/hostkey.pem
> 	SSLCACertificateFile /home/caribel/certs/ca.crt
> 	SSLVerifyClient require
> 
> the error (from logs/error_log):
> 
> [Mon Nov 10 11:22:22 2003] [alert] httpd: Could not determine the server's
> fully qualified domain name, using 127.0.0.1 for ServerName

What's the value of your ServerName Directive in httpd.conf?

> [Mon Nov 10 11:22:22 2003] [notice] Apache/1.3.28 (Unix) mod_jk/1.2.5
> mod_ssl/2.8.15 OpenSSL/0.9.7c configured -- resuming normal operations
> [Mon Nov 10 11:22:22 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
> [Mon Nov 10 11:22:36 2003] [error] mod_ssl: Certificate Verification: Error
> (19): self signed certificate in certificate chain
> [Mon Nov 10 11:22:36 2003] [error] mod_ssl: SSL handshake failed (server
> linux135:443, client 192.168.1.71) (OpenSSL library error follows)
> [Mon Nov 10 11:22:36 2003] [error] OpenSSL: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> [Mon Nov 10 11:22:39 2003] [error] mod_ssl: Certificate Verification: Error
> (19): self signed certificate in certificate chain
> [Mon Nov 10 11:22:39 2003] [error] mod_ssl: SSL handshake failed (server
> linux135:443, client 192.168.1.71) (OpenSSL library error follows)
> [Mon Nov 10 11:22:39 2003] [error] OpenSSL: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> [Mon Nov 10 11:22:43 2003] [error] mod_ssl: Certificate Verification: Error
> (19): self signed certificate in certificate chain
> [Mon Nov 10 11:22:43 2003] [error] mod_ssl: SSL handshake failed (server
> linux135:443, client 192.168.1.71) (OpenSSL library error follows)
> [Mon Nov 10 11:22:43 2003] [error] OpenSSL: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> 

Why didn't you create your csr/crt/pem directly and sign them?

Take a look at this
http://www.karkomaonline.com/article.php?story=20030713003329816

Hope this helps

-- 
kko <karkoma@karkomaonline.com>
karkomaonline


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message