Re: apache client authentication problem (somewhat long)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[ Bill Tangren ]

> Serge Dubrouski wrote:
>> Your client submits certificate signed by CA which certificate you
>> don't have in your SSLCACertificatePath. Actually it looks like you
>> incorrectly configured it. You have:
>> SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt
>> SSLCACertificatePath /etc/httpd/conf/ssl.crt
>> You should use just one of those options. If you use
>> SSLCACertificateFile your file (stacked pem) should have certificates
>> for all CA that issue certificates for you clients. If you use
>> SSLCACertificatePath place all certs into that directory and create
>> links like it's described here:
>> http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html
>
>
> OK, I've read that. I may be stuck on this line:
>
> 1: # Make sure the new CA certificate is in PEM format.
>
> The CA's I obtained from a very user-hostile web site. It listed
> each CA separately (like CA-12, CA-13, etc.), and allowed me to view
> the certificates, or download them. If you download them, I am given
> .cer files. If you view them, I am given a lot of text in between a
> -----BEGIN CERTIFICATE----- and an -----END CERTIFICATE-----, as
> well as the certificate contents in readable form. I don't know what
> .cer files are, except googling indicates they may be something that
> Microsoft uses, as MS has a utility that reads them, and will
> install the certificate. I copied each text certificate and
> concatenated them into a single root.crt file.

.cer seems like another shortname for "certificate", like ".crt". The
CA-cert /most probably/ is in the PEM format.

You've got the client certs (.crt?)? Try using OpenSSL to view what's
in them:

  bash# openssl x509 -text -in <client.crt>

You can even grep out the issuer (CA) to see which CA-cert you need to
verify the client certificate:

  bash# openssl x509 -text -in <client.crt> | grep Issuer

The OU should give you some idea of the correct CA-cert you need. You
might be lucky and have some more info in the X509v3-extensions that
give you an URL to the CA-cert it self.

You can try dumping the CA-cert with the same OpenSSL-commands.

When you have the CA-cert that signed the client-cert, point to it in
your httpd.conf with the SSLCACertificateFile-directive (if you need
no more than this CA-cert one for your server). See docs for more
info.

The whole dealio is that the webserver needs the exact CA-cert that
signed the client-cert to verify the clients.


Rgds,
Kenneth Svee

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux