On 11/28/06, Bill Tangren <bjt@xxxxxxxxxxxxxxxx> wrote:
Serge Dubrouski wrote: > Your client submits certificate signed by CA which certificate you > don't have in your SSLCACertificatePath. Actually it looks like you > incorrectly configured it. You have: > > SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt > SSLCACertificatePath /etc/httpd/conf/ssl.crt > > You should use just one of those options. If you use > SSLCACertificateFile your file (stacked pem) should have certificates > for all CA that issue certificates for you clients. If you use > SSLCACertificatePath place all certs into that directory and create > links like it's described here: > > http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html > > > OK, I've read that. I may be stuck on this line: 1: # Make sure the new CA certificate is in PEM format. The CA's I obtained from a very user-hostile web site. It listed each CA separately (like CA-12, CA-13, etc.), and allowed me to view the certificates, or download them. If you download them, I am given .cer files. If you view them, I am given a lot of text in between a -----BEGIN CERTIFICATE----- and an -----END CERTIFICATE-----, as well as the certificate contents in readable form. I don't know what .cer files are, except googling indicates they may be something that Microsoft uses, as MS has a utility that reads them, and will install the certificate. I copied each text certificate and concatenated them into a single root.crt file. This link: http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/sample-ca-cert.htm seems to indicate that what I did was correct. Also, removing the SSLCACertificatePath line in ssl.conf does not help. I have an emailed copy of another servers root.crt file, from a site that has this working, and I STILL get these errors. I had copied his ssl.conf as well. He used both lines given above.
And that's not a problem with your server certificate. That's a problem with client certificates. You have to have certs for CAs that issued client certificates.
Thanks for responding. Any other ideas? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|