httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kenneth Svee <>
Subject Re: [users@httpd] apache client authentication problem (somewhat long)
Date Wed, 29 Nov 2006 16:16:06 GMT
[ Bill Tangren ]

> Serge Dubrouski wrote:
>> Your client submits certificate signed by CA which certificate you
>> don't have in your SSLCACertificatePath. Actually it looks like you
>> incorrectly configured it. You have:
>> SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt
>> SSLCACertificatePath /etc/httpd/conf/ssl.crt
>> You should use just one of those options. If you use
>> SSLCACertificateFile your file (stacked pem) should have certificates
>> for all CA that issue certificates for you clients. If you use
>> SSLCACertificatePath place all certs into that directory and create
>> links like it's described here:
> OK, I've read that. I may be stuck on this line:
> 1: # Make sure the new CA certificate is in PEM format.
> The CA's I obtained from a very user-hostile web site. It listed
> each CA separately (like CA-12, CA-13, etc.), and allowed me to view
> the certificates, or download them. If you download them, I am given
> .cer files. If you view them, I am given a lot of text in between a
> -----BEGIN CERTIFICATE----- and an -----END CERTIFICATE-----, as
> well as the certificate contents in readable form. I don't know what
> .cer files are, except googling indicates they may be something that
> Microsoft uses, as MS has a utility that reads them, and will
> install the certificate. I copied each text certificate and
> concatenated them into a single root.crt file.

.cer seems like another shortname for "certificate", like ".crt". The
CA-cert /most probably/ is in the PEM format.

You've got the client certs (.crt?)? Try using OpenSSL to view what's
in them:

  bash# openssl x509 -text -in <client.crt>

You can even grep out the issuer (CA) to see which CA-cert you need to
verify the client certificate:

  bash# openssl x509 -text -in <client.crt> | grep Issuer

The OU should give you some idea of the correct CA-cert you need. You
might be lucky and have some more info in the X509v3-extensions that
give you an URL to the CA-cert it self.

You can try dumping the CA-cert with the same OpenSSL-commands.

When you have the CA-cert that signed the client-cert, point to it in
your httpd.conf with the SSLCACertificateFile-directive (if you need
no more than this CA-cert one for your server). See docs for more

The whole dealio is that the webserver needs the exact CA-cert that
signed the client-cert to verify the clients.

Kenneth Svee

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message