Mathew,
Sounds like certificate problems. I've set up the nsopenssl module for
AOLserver to do what you're trying to do, so I know that at least OpenSSL
0.9.5a works ok in this regard. I've taken the Dept of Defense root CA and
second level CA and made them available to the web server for verifying
client certificates. Then I used s_client with my client cert and key (and
the same two CA certs so s_client could verify the server cert) and made a
connection to the server. The verify depth was set to 3, but only 2 levels
were needed to verify. Both client and server verified fine. All certs were
in PEM format.
Although I haven't done this with Apache/mod_ssl, I have a few ideas about
what you might try.
First, make sure the CA certificates are in a directory of their own. I
don't think your server certificate should not be in the same directory as
the CA certificates.
Second, reverse the process: generate a server certificate from your root
CA/project CA certificates and have your Apache server use that certificate
for https connections. Make sure verify client is OFF. Then point 'openssl
s_client' to the root CA/project CA certificates and connect to your server.
If s_client verifies your server certificate, then you know that your root
CA/project CA certificates and the process you're using to generate
certificates is sound.
I notice in 4a & 4b below that you've set the ca file to either the root CA
or the project CA; both must be available to verify the chain, if memory
serves me correctly.
/s.
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 06, 2000 1:43 PM
Subject: Self Signed Company CA Root --signs--> Project CA --signs-> Server
and Client certs
>
>
> I'm having a bitch of a time getting client verification to work to work.
>
> I've got the root CA cert, project CA cert, and server and client certs
(keys
> with passphrase removed) all in pem encoded format. I've done the
following.
>
> 1.Created a new mod_ssl instance of apache
> 2.Set the server key and cert tags
> 3.set verifyclient to 'require', left the verifydepth at 10 (i've tried
playing
> with this.. seems to have _no_ affect)
> 4. multiple scenerios here.
> a) set the ca file to the project CA cert (errors with something like
'failed to
> get local issuer)
> b) set the ca file to the root CA cert (some other error which basically
said..
> can't verify the issuer)
> c) set the capath to a directory with the server, root ca, and project ca
certs
> and ran make to build the hash symlinks
> d) set cerfificate chain to a file with project CA cert and root ca cert
> e) set ca file to a ca bundle I created with name, md5 fingerprint, cert,
and
> text ouput of root CA and project CA.
>
> What works?
> if i turn off client verification i can hit the server with an https
connection
>
> I realize that I'm not including error messages, and thats cuz they all
seem to
> be alittle different. I've tried connecting to all these scenerio's using
a p12
> version of the client cert which i generated using the client cert, key
(with
> passphrase removed) and also using openssl s_client with cert and key
parameters
> using the pem format cert/key (pass removed)
>
> Has anyone else attempted to do this multiple level CA thing and had
success
> doing client cert verification? Is there something I might have missed?
>
> some various errors for a-e) "Certificate Verification: Error (26):
unsupported
> certificate purpose"
> "Certificate
> Verification: Error (20): unable to get local issuer certificate"
>
> openssl 0.9.5a
> apache 1.3.12
>
> Matthew Lenz
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
