httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kenneth Svee <k.s.s...@usit.uio.no>
Subject Re: [users@httpd] apache client authentication problem (somewhat long)
Date Wed, 29 Nov 2006 16:16:06 GMT
[ Bill Tangren ]

> Serge Dubrouski wrote:
>> Your client submits certificate signed by CA which certificate you
>> don't have in your SSLCACertificatePath. Actually it looks like you
>> incorrectly configured it. You have:
>> SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt
>> SSLCACertificatePath /etc/httpd/conf/ssl.crt
>> You should use just one of those options. If you use
>> SSLCACertificateFile your file (stacked pem) should have certificates
>> for all CA that issue certificates for you clients. If you use
>> SSLCACertificatePath place all certs into that directory and create
>> links like it's described here:
>> http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html
>
>
> OK, I've read that. I may be stuck on this line:
>
> 1: # Make sure the new CA certificate is in PEM format.
>
> The CA's I obtained from a very user-hostile web site. It listed
> each CA separately (like CA-12, CA-13, etc.), and allowed me to view
> the certificates, or download them. If you download them, I am given
> .cer files. If you view them, I am given a lot of text in between a
> -----BEGIN CERTIFICATE----- and an -----END CERTIFICATE-----, as
> well as the certificate contents in readable form. I don't know what
> .cer files are, except googling indicates they may be something that
> Microsoft uses, as MS has a utility that reads them, and will
> install the certificate. I copied each text certificate and
> concatenated them into a single root.crt file.

.cer seems like another shortname for "certificate", like ".crt". The
CA-cert /most probably/ is in the PEM format.

You've got the client certs (.crt?)? Try using OpenSSL to view what's
in them:

  bash# openssl x509 -text -in <client.crt>

You can even grep out the issuer (CA) to see which CA-cert you need to
verify the client certificate:

  bash# openssl x509 -text -in <client.crt> | grep Issuer

The OU should give you some idea of the correct CA-cert you need. You
might be lucky and have some more info in the X509v3-extensions that
give you an URL to the CA-cert it self.

You can try dumping the CA-cert with the same OpenSSL-commands.

When you have the CA-cert that signed the client-cert, point to it in
your httpd.conf with the SSLCACertificateFile-directive (if you need
no more than this CA-cert one for your server). See docs for more
info.

The whole dealio is that the webserver needs the exact CA-cert that
signed the client-cert to verify the clients.


Rgds,
Kenneth Svee

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message