You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David Balažic <da...@comtrade.com> on 2016/05/31 13:40:20 UTC
[users@httpd] SSL client auth, accept only one specific intermediate CA
Hi!
How to set up apache mod_ssl to accept client certificates issued by one specific intermediate?
Let's have certificates (ordered by issuer):
- root CA
- intermediate 1
- client 11
- client 12
- intermediate 2
- client 21
- client 22
I want to allow certificates 11 and 12 (and possible others issued by "intermediate 1"), but not the others.
My naive approach was to add "intermediate 1" to the SSLCACertificateFile and set SSLVerifyDepth to 1.
But that does not work.
It allows client to select their certificate issued by "intermediate 1" (and not others), but when the connection goes on, it is refused.
Apache logs:
[error] Certificate Verification: Error (20): unable to get local issuer certificate
The only way I found to make it accept this certificate is to add both "root CA" and " intermediate 1" to the SSLCACertificateFile and set SSLVerifyDepth to 2 or more.
But this also allows certificates issued by " intermediate 2" which I do not want.
How to solve this problem?
Fun fact: the almost same question was asked 16 years ago: http://marc.info/?l=apache-ssl&m=97326252821385&w=2
With no answer.
PS: I use apache 2.2.3 with openssl 0.9.8a
David Balažic
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] RE: SSL client auth, accept only one specific intermediate CA
Posted by David Balažic <da...@comtrade.com>.
David Balažic wrote:
>
> How to set up apache mod_ssl to accept client certificates issued by one
> specific intermediate?
>
> Let's have certificates (ordered by issuer):
> - root CA
> - intermediate 1
> - client 11
> - client 12
> - intermediate 2
> - client 21
> - client 22
>
>
> I want to allow certificates 11 and 12 (and possible others issued by
> "intermediate 1"), but not the others.
>
> My naive approach was to add "intermediate 1" to the SSLCACertificateFile
> and set SSLVerifyDepth to 1.
>
> But that does not work.
> It allows client to select their certificate issued by "intermediate 1" (and not
> others), but when the connection goes on, it is refused.
> Apache logs:
> [error] Certificate Verification: Error (20): unable to get local issuer certificate
>
> The only way I found to make it accept this certificate is to add both "root CA"
> and " intermediate 1" to the SSLCACertificateFile and set SSLVerifyDepth to 2
> or more.
> But this also allows certificates issued by " intermediate 2" which I do not
> want.
>
> How to solve this problem?
It seems the SSLCADNRequestFile option solves the problem.
See http://www.gossamer-threads.com/lists/apache/users/321623
Regards,
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org