You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David Balažic <da...@comtrade.com> on 2016/05/31 14:25:53 UTC
[users@httpd] RE: SSL client auth, accept only one specific intermediate CA
David Balažic wrote:
>
> How to set up apache mod_ssl to accept client certificates issued by one
> specific intermediate?
>
> Let's have certificates (ordered by issuer):
> - root CA
> - intermediate 1
> - client 11
> - client 12
> - intermediate 2
> - client 21
> - client 22
>
>
> I want to allow certificates 11 and 12 (and possible others issued by
> "intermediate 1"), but not the others.
>
> My naive approach was to add "intermediate 1" to the SSLCACertificateFile
> and set SSLVerifyDepth to 1.
>
> But that does not work.
> It allows client to select their certificate issued by "intermediate 1" (and not
> others), but when the connection goes on, it is refused.
> Apache logs:
> [error] Certificate Verification: Error (20): unable to get local issuer certificate
>
> The only way I found to make it accept this certificate is to add both "root CA"
> and " intermediate 1" to the SSLCACertificateFile and set SSLVerifyDepth to 2
> or more.
> But this also allows certificates issued by " intermediate 2" which I do not
> want.
>
> How to solve this problem?
It seems the SSLCADNRequestFile option solves the problem.
See http://www.gossamer-threads.com/lists/apache/users/321623
Regards,
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org