Apache SSL configuration issue

Wed, 03 Aug 2005 08:05:43 -0700 

I have set up a CA chain with  a CA and a subCA. The subCA is used to issue
user certificates and also to issue certificate for the Apache
httpd/opnessl/modssl configuration. 

I went ahead and created a private key for the Apache server using openssl.
Then I created the csr file for using the private key. I used this request to
generate a certificate from the windows 2003 subCA. Used the following
configuration in httpd.conf

<VirtualHost www.domainname.com:443> 
SSLEngine On 
SSLProtocol all 
SSLCertificateFile conf/ssl/certfile.cer
SSLCertificateKeyFile conf/ssl/server.key
SSLCACertificateFile conf/ssl/certfile.cer
SSLVerifyClient require
SSLVerifyDepth 3
</VirtualHost>  

I tried testing the ssl connection using openssl. When I try this in IE no
certificate is shown in the certificate popup.  Does this mean there is a
discrepancy in the URL and the certificate chain which is used to issue the
certificate. I do see the subCA in the intermediate trust store and the main CA
cert in the trusted CA store in IE. 


E:\OpenSSL\bin>openssl s_client -connect abc.domainname.com:443
Loading 'screen' into random state - done
CONNECTED(00000790)
depth=0 /CN=abc.domainname.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=abc.domainname.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=abc.domainname.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=abc.domainname.com
   i:/DC=com/DC=domainname/DC=dev/CN=subCAname
---
Server certificate
-----BEGIN CERTIFICATE-----
server certificate key 
-----END CERTIFICATE-----
subject=/CN=abc.domainname.com
issuer=/DC=com/DC=domainname/DC=dev/CN=subCAname
---
No client certificate CA names sent
---
SSL handshake has read 1764 bytes and written 345 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key:
AF858448C17F3CEFA326AA7678058116B7347A6C87AE450002B1CC34E72A8F23006536FD53F455AC6501
FF3ABAE6CBC6
    Key-Arg   : None
    Start Time: 1123080310
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
read:errno=10093

Thanks 
xml_abh 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to