You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by David Balažic <da...@comtrade.com> on 2016/05/31 14:25:53 UTC

[users@httpd] RE: SSL client auth, accept only one specific intermediate CA

David Balažic  wrote:
> 
> How to set up apache mod_ssl to accept client certificates issued by one
> specific intermediate?
> 
> Let's have certificates (ordered by issuer):
>   - root CA
>     - intermediate 1
>       - client 11
>       - client 12
>    - intermediate 2
>       - client 21
>       - client 22
> 
> 
> I want to allow certificates 11 and 12 (and possible others issued by
> "intermediate 1"), but not the others.
> 
> My naive approach was to add "intermediate 1" to the SSLCACertificateFile
> and set SSLVerifyDepth to 1.
> 
> But that does not work.
> It allows client to select their certificate issued by "intermediate 1" (and not
> others), but when the connection goes on, it is refused.
> Apache logs:
> [error] Certificate Verification: Error (20): unable to get local issuer certificate
> 
> The only way I found to make it accept this certificate is to add both "root CA"
> and " intermediate 1" to the SSLCACertificateFile and set SSLVerifyDepth to 2
> or more.
> But this also allows certificates issued by " intermediate 2" which I do not
> want.
> 
> How to solve this problem?


It seems the SSLCADNRequestFile  option solves the problem.

See http://www.gossamer-threads.com/lists/apache/users/321623

Regards,
David

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org