httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@dmaurer.net
Subject [users@httpd] SSL / ca-bundle.crt file
Date Wed, 10 May 2017 12:41:02 GMT
This is a follow up to an email I send out last Friday.

When setting up a website to use MIL CAC cards. As long as SSLVerifyClient
require SSLVerifyDepth 10 and we do not remove anything from ca-bundle.crt
file we receive from DOD it works fine.

Our problem is: When a user puts in his CAC and goes to our site we only
want the "EMAIL CA" to show in the "Select a Certificate" box. So we
change the SSLVerifyDepth to a 1. When we do we get the "AH02040:
Certificate Verification: Certificate Chain too long (chain has 2
certificates, but maximum allowed are only 1)"

So we remove all the ROOT CA (these are the ones in the "Subject" lines).
But when we do that we get the H02039: Certificate Verification: Error
(2): unable to get issuer certificate.

Found that for each cert in the ca-bundle.crt there is a "Subject" and a
"Issuer". For test purposes I removed the "Issuer" line of the cert and I
still get the "H02039: Certificate Verification: Error (2): unable to get
issuer certificate"

So this tells me it needs the Issuer cert, which is not what we want
because it goes back to showing both certs in the "select a certificate"
for the user.

Has anyone been able to restrict what shows in "select a certificate" box
with success as Apache being the webserver?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message