David Balažic wrote: > > How to set up apache mod_ssl to accept client certificates issued by one > specific intermediate? > > Let's have certificates (ordered by issuer): > - root CA > - intermediate 1 > - client 11 > - client 12 > - intermediate 2 > - client 21 > - client 22 > > > I want to allow certificates 11 and 12 (and possible others issued by > "intermediate 1"), but not the others. > > My naive approach was to add "intermediate 1" to the SSLCACertificateFile > and set SSLVerifyDepth to 1. > > But that does not work. > It allows client to select their certificate issued by "intermediate 1" (and not > others), but when the connection goes on, it is refused. > Apache logs: > [error] Certificate Verification: Error (20): unable to get local issuer certificate > > The only way I found to make it accept this certificate is to add both "root CA" > and " intermediate 1" to the SSLCACertificateFile and set SSLVerifyDepth to 2 > or more. > But this also allows certificates issued by " intermediate 2" which I do not > want. > > How to solve this problem? It seems the SSLCADNRequestFile option solves the problem. See http://www.gossamer-threads.com/lists/apache/users/321623 Regards, David --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|