[ Bill Tangren ] > Serge Dubrouski wrote: >> Your client submits certificate signed by CA which certificate you >> don't have in your SSLCACertificatePath. Actually it looks like you >> incorrectly configured it. You have: >> SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt >> SSLCACertificatePath /etc/httpd/conf/ssl.crt >> You should use just one of those options. If you use >> SSLCACertificateFile your file (stacked pem) should have certificates >> for all CA that issue certificates for you clients. If you use >> SSLCACertificatePath place all certs into that directory and create >> links like it's described here: >> http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html > > > OK, I've read that. I may be stuck on this line: > > 1: # Make sure the new CA certificate is in PEM format. > > The CA's I obtained from a very user-hostile web site. It listed > each CA separately (like CA-12, CA-13, etc.), and allowed me to view > the certificates, or download them. If you download them, I am given > .cer files. If you view them, I am given a lot of text in between a > -----BEGIN CERTIFICATE----- and an -----END CERTIFICATE-----, as > well as the certificate contents in readable form. I don't know what > .cer files are, except googling indicates they may be something that > Microsoft uses, as MS has a utility that reads them, and will > install the certificate. I copied each text certificate and > concatenated them into a single root.crt file. .cer seems like another shortname for "certificate", like ".crt". The CA-cert /most probably/ is in the PEM format. You've got the client certs (.crt?)? Try using OpenSSL to view what's in them: bash# openssl x509 -text -in <client.crt> You can even grep out the issuer (CA) to see which CA-cert you need to verify the client certificate: bash# openssl x509 -text -in <client.crt> | grep Issuer The OU should give you some idea of the correct CA-cert you need. You might be lucky and have some more info in the X509v3-extensions that give you an URL to the CA-cert it self. You can try dumping the CA-cert with the same OpenSSL-commands. When you have the CA-cert that signed the client-cert, point to it in your httpd.conf with the SSLCACertificateFile-directive (if you need no more than this CA-cert one for your server). See docs for more info. The whole dealio is that the webserver needs the exact CA-cert that signed the client-cert to verify the clients. Rgds, Kenneth Svee --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|