Sorry in advance but
I am fairly new to OpenSSL and though I have read a lot .. .I just can't seem to
get it right. Any help, even direction pointing (eg. a URL) would be greatly
appreciative.
Problem: client
certificates not available during SSL handshake
Description: I have
a server certificate that was issued by an intermediate CA (DOD Class 3 CA-3)
that was issued by the DOD Root CA (DoD CLASS 3 Root CA). Some DoD issued
certificates (eg. those issued by the intermediate CA, DOD Class 3 CA-5) work
correctly, but those issued by DoD Class 3 CA-8 do not work.
I think what I
really just need to figure out is which certificates should go in my
ca-bundle.crt file and which certificates should go in the intermediate-ca.crt
file.
(Should all
intermediate CA certificates be added to the intermediate
file?)
Steps Taken (where
did I go wrong?):
1. I
downloaded the DOD Root Certificates and installed them for
IE.
-http://www.onr.navy.mil/resources/instructions.asp
2. Using the
certificate manager (mmc) in Windows 2000, I selected my subordinate and root
CAs and exported them to pkcs7 format (ended up with 2 files, 5 certs in the
root ca file , 18 certs in the subordinate list).
3. I ran openssl
pkcs7 command to extract the certs into text format.
openssl pkcs7 -inform DER -outform PEM -in DoDRoot.p7b -out
DoDRoot-ca.crt -print_certs -text
openssl pkcs7 -inform DER -outform PEM -in DoDSub.p7b -out DoDSub-ca.crt
-print_certs -text
4. Copied the files
to my apache server
5. In
httpd.conf
SSLCertificateChainFile conf\ssl.crt\DoDSub-ca.crt
SSLCACertificateFile conf\ssl.crt\DoDRoot-ca.crt
SSLVerifyClient require
SSLVerifyDepth 2
I have also tried
the certificates with just the DOD Class 3 CA-3 in the DoDSub-ca and all the
rest in the DoDRoot-ca files. Any advice?
Thanks in advance,
Heath Golub
