I'm having a bitch of a time getting client verification to work to work.
I've got the root CA cert, project CA cert, and server and client certs (keys
with passphrase removed) all in pem encoded format. I've done the following.
1.Created a new mod_ssl instance of apache
2.Set the server key and cert tags
3.set verifyclient to 'require', left the verifydepth at 10 (i've tried playing
with this.. seems to have _no_ affect)
4. multiple scenerios here.
a) set the ca file to the project CA cert (errors with something like 'failed to
get local issuer)
b) set the ca file to the root CA cert (some other error which basically said..
can't verify the issuer)
c) set the capath to a directory with the server, root ca, and project ca certs
and ran make to build the hash symlinks
d) set cerfificate chain to a file with project CA cert and root ca cert
e) set ca file to a ca bundle I created with name, md5 fingerprint, cert, and
text ouput of root CA and project CA.
What works?
if i turn off client verification i can hit the server with an https connection
I realize that I'm not including error messages, and thats cuz they all seem to
be alittle different. I've tried connecting to all these scenerio's using a p12
version of the client cert which i generated using the client cert, key (with
passphrase removed) and also using openssl s_client with cert and key parameters
using the pem format cert/key (pass removed)
Has anyone else attempted to do this multiple level CA thing and had success
doing client cert verification? Is there something I might have missed?
some various errors for a-e) "Certificate Verification: Error (26): unsupported
certificate purpose"
"Certificate
Verification: Error (20): unable to get local issuer certificate"
openssl 0.9.5a
apache 1.3.12
Matthew Lenz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
