On 11/28/06, Bill Tangren <[EMAIL PROTECTED]> wrote:
Serge Dubrouski wrote:
> Your client submits certificate signed by CA which certificate you
> don't have in your SSLCACertificatePath. Actually it looks like you
> incorrectly configured it. You have:
>
> SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt
> SSLCACertificatePath /etc/httpd/conf/ssl.crt
>
> You should use just one of those options. If you use
> SSLCACertificateFile your file (stacked pem) should have certificates
> for all CA that issue certificates for you clients. If you use
> SSLCACertificatePath place all certs into that directory and create
> links like it's described here:
>
>
http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html
>
>
>
OK, I've read that. I may be stuck on this line:
1: # Make sure the new CA certificate is in PEM format.
The CA's I obtained from a very user-hostile web site. It listed each CA
separately (like CA-12, CA-13, etc.), and allowed me to view the certificates,
or download them. If you download them, I am given .cer files. If you view them,
I am given a lot of text in between a -----BEGIN CERTIFICATE----- and an
-----END CERTIFICATE-----, as well as the certificate contents in readable form.
I don't know what .cer files are, except googling indicates they may be
something that Microsoft uses, as MS has a utility that reads them, and will
install the certificate. I copied each text certificate and concatenated them
into a single root.crt file.
This link:
http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/sample-ca-cert.htm
seems to indicate that what I did was correct.
Also, removing the SSLCACertificatePath line in ssl.conf does not help.
I have an emailed copy of another servers root.crt file, from a site that has
this working, and I STILL get these errors. I had copied his ssl.conf as well.
He used both lines given above.
And that's not a problem with your server certificate. That's a
problem with client certificates. You have to have certs for CAs that
issued client certificates.
Thanks for responding.
Any other ideas?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
