httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Dubrouski" <serge...@gmail.com>
Subject Re: [users@httpd] apache client authentication problem (somewhat long)
Date Tue, 28 Nov 2006 22:03:45 GMT
On 11/28/06, Bill Tangren <bjt@aa.usno.navy.mil> wrote:
> Serge Dubrouski wrote:
> > Your client submits certificate signed by CA which certificate you
> > don't have in your SSLCACertificatePath. Actually it looks like you
> > incorrectly configured it. You have:
> >
> > SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt
> > SSLCACertificatePath /etc/httpd/conf/ssl.crt
> >
> > You should use just one of those options. If you use
> > SSLCACertificateFile your file (stacked pem) should have certificates
> > for all CA that issue certificates for you clients. If you use
> > SSLCACertificatePath place all certs into that directory and create
> > links like it's described here:
> >
> > http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html
> >
> >
> >
>
>
> OK, I've read that. I may be stuck on this line:
>
> 1: # Make sure the new CA certificate is in PEM format.
>
> The CA's I obtained from a very user-hostile web site. It listed each CA
> separately (like CA-12, CA-13, etc.), and allowed me to view the certificates,
> or download them. If you download them, I am given .cer files. If you view them,
> I am given a lot of text in between a -----BEGIN CERTIFICATE----- and an
> -----END CERTIFICATE-----, as well as the certificate contents in readable form.
> I don't know what .cer files are, except googling indicates they may be
> something that Microsoft uses, as MS has a utility that reads them, and will
> install the certificate. I copied each text certificate and concatenated them
> into a single root.crt file.
>
> This link:
>
> http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/sample-ca-cert.htm
>
> seems to indicate that what I did was correct.
>
> Also, removing the SSLCACertificatePath line in ssl.conf does not help.
>
> I have an emailed copy of another servers root.crt file, from a site that has
> this working, and I STILL get these errors. I had copied his ssl.conf as well.
> He used both lines given above.

And that's not a problem with your server certificate. That's a
problem with client certificates. You have to have certs for CAs that
issued client certificates.

>
> Thanks for responding.
>
> Any other ideas?
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message