SSL client auth, accept only one specific intermediate CA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

How to set up apache mod_ssl to accept client certificates issued by one specific intermediate?

Let's have certificates (ordered by issuer):
  - root CA
    - intermediate 1
      - client 11
      - client 12
   - intermediate 2
      - client 21
      - client 22


I want to allow certificates 11 and 12 (and possible others issued by "intermediate 1"), but not the others.

My naive approach was to add "intermediate 1" to the SSLCACertificateFile and set SSLVerifyDepth to 1.

But that does not work.
It allows client to select their certificate issued by "intermediate 1" (and not others), but when the connection goes on, it is refused.
Apache logs:
[error] Certificate Verification: Error (20): unable to get local issuer certificate

The only way I found to make it accept this certificate is to add both "root CA" and " intermediate 1" to the SSLCACertificateFile and set SSLVerifyDepth to 2 or more.
But this also allows certificates issued by " intermediate 2" which I do not want.

How to solve this problem?


Fun fact: the almost same question was asked 16 years ago: http://marc.info/?l=apache-ssl&m=97326252821385&w=2
With no answer.

PS: I use apache 2.2.3 with openssl 0.9.8a

David Balažic

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux