Re: apache client authentication problem (somewhat long)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



So you have a bunch of .cer files. Then you have to use
SSLCACertificatePath and links with hashes as names. It can't be just
one file with once certificate unless all your client have
certificates signed by one CA.

On 11/28/06, Bill Tangren <bjt@xxxxxxxxxxxxxxxx> wrote:
Serge Dubrouski wrote:
> Your client submits certificate signed by CA which certificate you
> don't have in your SSLCACertificatePath. Actually it looks like you
> incorrectly configured it. You have:
>
> SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt
> SSLCACertificatePath /etc/httpd/conf/ssl.crt
>
> You should use just one of those options. If you use
> SSLCACertificateFile your file (stacked pem) should have certificates
> for all CA that issue certificates for you clients. If you use
> SSLCACertificatePath place all certs into that directory and create
> links like it's described here:
>
> http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html
>
>
>


OK, I've read that. I may be stuck on this line:

1: # Make sure the new CA certificate is in PEM format.

The CA's I obtained from a very user-hostile web site. It listed each CA
separately (like CA-12, CA-13, etc.), and allowed me to view the certificates,
or download them. If you download them, I am given .cer files. If you view them,
I am given a lot of text in between a -----BEGIN CERTIFICATE----- and an
-----END CERTIFICATE-----, as well as the certificate contents in readable form.
I don't know what .cer files are, except googling indicates they may be
something that Microsoft uses, as MS has a utility that reads them, and will
install the certificate. I copied each text certificate and concatenated them
into a single root.crt file.

This link:

http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/sample-ca-cert.htm

seems to indicate that what I did was correct.

Also, removing the SSLCACertificatePath line in ssl.conf does not help.

I have an emailed copy of another servers root.crt file, from a site that has
this working, and I STILL get these errors. I had copied his ssl.conf as well.
He used both lines given above.

Thanks for responding.

Any other ideas?



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux