httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lampa <>
Subject [users@httpd] SSL client authentication with multiple CA
Date Tue, 25 Aug 2009 17:37:12 GMT

is Context: server config, virtual host, but in examples are used in
Directory Context, so i assumed that is documentation typo.

Using web server with HTTPS (crt signed by thawte), but my problem is
that i tried to use client auth with certs, now i have 2 (in future
will grow) directories which should be protected. I have one CA (self
signed eg. root CA - conf/ssl/v1.crt) for version 1, second version
uses own CA (intermediate - conf/ssl/ca/v2.crt) which is issued by
other root CA (conf/ssl/ca/v2root.crt) (different from version 1),
file conf/ssl/ca.crt contains chained version 1 and 2 (eg 2 certs).
This setting is working weird - v2 is using v1 certificates, which
must not. I need only access to v1/  with v1.crt signed certs and v2/
with v2.crt signed certs. I tried used example from
(second example - with clients are all part of a common hierarchy,
which is encoded into the DN) but i have 2 directories and 2 CA, if i
enable commented  SSLCACertificateFile conf/ssl/ca/v2.crt for v2, v1
stop working and get  Re-negotiation handshake failed: Not accepted by
client!? in error.log.

Any advices and help would be most welcome.

Thank you.

config snippet (options are in server context):

SSLCertificateChainFile conf/ssl/ca.crt

<Directory /var/www/app/v1>
       SSLVerifyClient require
       SSLVerifyDepth 1

       SSLCACertificateFile conf/ssl/v1.crt

<Directory /var/www/app/v2>
       SSLVerifyClient require
       SSLVerifyDepth 2
       SSLOptions +ExportCertData +StrictRequire
#       SSLCACertificateFile conf/ssl/ca/v2.crt
       SSLCACertificatePath conf/ssl/ca


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message