What I was trying to point to is this:as you can see the DN is coma separated not / separated ....
# openssl x509 -noout -in /etc/ssl/certs/TWCA_Root_Certification_Authority.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority
Validity
Not Before: Aug 28 07:24:33 2008 GMT
Not After : Dec 31 15:59:59 2030 GMT
Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
.
.
.
On Mon, Mar 4, 2013 at 9:41 AM, Michele Mase' <michele.mase@xxxxxxxxx> wrote:
The issuer dn is the same; the pem file is a ca bundle.On Sun, Mar 3, 2013 at 11:23 PM, Igor Cicimov <icicimov@xxxxxxxxx> wrote:
Please paste the output of
On 04/03/2013 7:33 AM, "Michele Mase'" <michele.mase@xxxxxxxxx> wrote:
>
> Anyone?
>
>
> On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase' <michele.mase@xxxxxxxxx> wrote:
>>
>> I'm testing a client authentication using:
>>
>> SSLCACertificateFile /path/to/pemfile.pem
>> <LocationMatch "/test">
>> SSLVerifyClient require
>> SSLVerifyDepth 2
>> SSLOptions +StdEnvVars +ExportCertData
>> SSLRequire %{SSL_CLIENT_I_DN} eq "/C=US/O=acme/OU=acme/CN=acme"
>> /LocationMatch>
>>
>>
>> I should use two different CA with the same DN (file /path/to/pemfile.pem)
>> When i try to use this configuration I receive:
>> Access totest denied for 10.10.10.10 (requirement _expression_ not fulfilled)
>> Failed _expression_: %{SSL_CLIENT_I_DN} eq ...
>>
>> The only way it works is without the SSLRequire directive.
>> or
>> Using only one CA in the file (file /path/to/pemfile.pem)
>>
>> Some suggestions?
>>
>> Regards
>> Michele Masè
>
># openssl x509 -noout -in /path/to/pemfile.pem -text
so we know what are we talking about here. If multiple dn in the file why are you trying to match one using eq then? Anyway, the above command will show us the issuer dn string and you can see what are you doing wrong.
|