This is a follow up to an email I send out last Friday. When setting up a website to use MIL CAC cards. As long as SSLVerifyClient require SSLVerifyDepth 10 and we do not remove anything from ca-bundle.crt file we receive from DOD it works fine. Our problem is: When a user puts in his CAC and goes to our site we only want the "EMAIL CA" to show in the "Select a Certificate" box. So we change the SSLVerifyDepth to a 1. When we do we get the "AH02040: Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1)" So we remove all the ROOT CA (these are the ones in the "Subject" lines). But when we do that we get the H02039: Certificate Verification: Error (2): unable to get issuer certificate. Found that for each cert in the ca-bundle.crt there is a "Subject" and a "Issuer". For test purposes I removed the "Issuer" line of the cert and I still get the "H02039: Certificate Verification: Error (2): unable to get issuer certificate" So this tells me it needs the Issuer cert, which is not what we want because it goes back to showing both certs in the "select a certificate" for the user. Has anyone been able to restrict what shows in "select a certificate" box with success as Apache being the webserver? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|