httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scott Thomas <scott_thomas...@yahoo.com>
Subject [users@httpd] Mutual Authentication using Multiple CA's in Apache does not work
Date Fri, 04 Jun 2010 04:02:57 GMT
Bonjour All Users, 


My setup has a ROOT CA and 3 level of Sub CA's. I have generated apache web server and client
certificates from every the ROOT and Sub CA's. 

I have configured my APACHE web server for client certificate (mutual) authentication. I have
generated the apache web server certificate and client certificates from the ROOT CA with
proper extensions. In case of Root CA, it works well. Mutual authentication works fine.

In case of Sub CA, the apache web server certifictae and client certificates are generated
by SubCA with the same extensions/profile as in case of ROOT CA. But when i try to authenticate
users from Sub CA's then following error occurs "unhandled critical extension". SSLCACertificateFile
contains the concatenated certifcates of all the CA's( issuing CA certtificate is at top and
Root ca certificate is at bottom of this file)


Here is my vhost file

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
DocumentRoot /srv/www/htdocs/
ServerName XXXXXXXXXXXXXX
RewriteEngine On
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
</VirtualHost>

<VirtualHost *:443>

DocumentRoot /srv/www/htdocs/
ServerName XXXXXXXXX
SSLEngine on
SSLCipherSuite HIGH
SSLProtocol all -SSLv2

SSLCertificateFile /etc/apache2/certificates/cert.pem
SSLCertificateKeyFile /etc/apache2/certificates/key.pem
SSLCACertificateFile /etc/apache2/certificates/chain.pem
#SSLCertificateChainFile /etc/apache2/certificates/chain.pem
//chain.pem contains all the upper level certificates concanetated such that (1st certificate
is of issuing CA , going downward towards the root CA...
// i have also tried with the SSLCertificateChainFile directive but the error is same ...

<Directory "/srv/www/htdocs/">
SSLVerifyClient require
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "XXXX"
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
</Directory>

</VirtualHost>

I am using OpenSSL version 0.9.8h release 28 May 2008 and Apache version 2.2.10-2.5

Kindly guide me in this aspect.
Waiting for your kind Reply

Best Regards
Scott Thomas


      
Mime
View raw message