I've been trying to set up Apache to do certificate authentication and although I've had success using a self-signed CA (which naturally requires that the CA certificate be installed in the browser), I want to do the same, only have the certificate(s) signed by a real(*) CA, and am having some difficulty.
(*) Specifically, CACert, which still isn't a OOTB trusted CA in most
software.
The way I expect this to work is:
- Create my CA key and a CSR, and have CACert sign it.
- Create a server key and CSR, and sign it with my CA
- Create a client certificate, signed by my CA.
So I end up with a certificate chain that goes:
CACert -> my CA -> my server
But... this is not working. Firefox won't verify the server (the
CACert root certificate .is. installed), and having bypassed this
check, Apache won't verify the client either.
The Apache configuration is as follows:
<VirtualHost *:443>
ServerName foo.bar
DocumentRoot /path/to/htdocs
SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /sslpath/server.crt
SSLCertificateKeyFile /sslpath/server.key
SSLCACertificateFile /sslpath/my-ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
</VirtualHost>
Any suggestions are appreciated,
frase
pgpjMpbJXLvX2.pgp
Description: PGP signature
