RE: SSL client auth, accept only one specific intermediate CA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



David Balažic  wrote:
> 
> How to set up apache mod_ssl to accept client certificates issued by one
> specific intermediate?
> 
> Let's have certificates (ordered by issuer):
>   - root CA
>     - intermediate 1
>       - client 11
>       - client 12
>    - intermediate 2
>       - client 21
>       - client 22
> 
> 
> I want to allow certificates 11 and 12 (and possible others issued by
> "intermediate 1"), but not the others.
> 
> My naive approach was to add "intermediate 1" to the SSLCACertificateFile
> and set SSLVerifyDepth to 1.
> 
> But that does not work.
> It allows client to select their certificate issued by "intermediate 1" (and not
> others), but when the connection goes on, it is refused.
> Apache logs:
> [error] Certificate Verification: Error (20): unable to get local issuer certificate
> 
> The only way I found to make it accept this certificate is to add both "root CA"
> and " intermediate 1" to the SSLCACertificateFile and set SSLVerifyDepth to 2
> or more.
> But this also allows certificates issued by " intermediate 2" which I do not
> want.
> 
> How to solve this problem?


It seems the SSLCADNRequestFile  option solves the problem.

See http://www.gossamer-threads.com/lists/apache/users/321623

Regards,
David

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux