[users@httpd] Re: Apache2 certificate authentication

Sun, 09 Jul 2023 20:27:56 -0700 

I just tried accessing the "/secure/" directory in Edge and got the same
error message after importing my pkcs12 certificate.

I forgot to include the Apache2 error logs...

[Mon Jul 10 03:20:37.629596 2023] [ssl:error] [pid 2410] [client
192.168.0.5:64817] AH10158: cannot perform post-handshake authentication
[Mon Jul 10 03:20:37.629633 2023] [ssl:error] [pid 2410] SSL Library Error:
error:0A000117:SSL routines::extension not received

On Sun, Jul 9, 2023 at 6:52 PM Jiangsu Kumquat <x...@mynetblog.com> wrote:

>
> I'm stuck. I am trying to use certificate authentication to restrict
> access to a directory. I'm using my own certificate authority that I
> created using the commands below.
>
> I'm running Apache2 on Debian linux.
>
> *** CA KEYS
>
> create CA private key
> openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:4096
>
> create CA self signed certificate
> openssl req -new -x509 -key ca.key -out ca.crt
>
> sign client CSR
> openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key
> -CAcreateserial -out client.crt
>
>
> *** CLIENT KEYS
>
> generate client private key
> openssl genpkey -algorithm RSA -out private_key.key -pkeyopt
> rsa_keygen_bits:4096
>
> generate certificate signing request (CSR)
> openssl req -new -key private_key.key -out client.csr
>
> generate pkcs12 client certificate
> openssl pkcs12 -export -out certificate.p12 -inkey private_key.key -in
> client.crt
>
>
>
> *** Apache2 config
>
> (This is inside a virtual host block)
>
> # This is the CA.crt file I generated above
> SSLCACertificateFile /etc/apache2/ssl-client/ca.crt
>
> <Directory /var/www/html/secure>
>     SSLRequireSSL
> #   SSLVerifyClient require
>     SSLVerifyClient optional_no_ca
>     SSLVerifyDepth 2
>     SSLOptions +StdEnvVars +ExportCertData
> #   SSLRequire %{SSL_CLIENT_S_DN_CN} == ""
> </Directory>
>
> I imported the pkcs12 client certificate I generated above into my Firefox
> browser.
>
> When I access:
> https://example.com/secure
>
> I get this error:
>
> Forbidden
> You don't have permission to access this resource.Reason: Cannot perform
> Post-Handshake Authentication.
>
>
> I'm not sure where to go from here. I don't know how to get past this
> error message.
>
>
>
>
>

Reply via email to