You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ivan Venuti <i....@caribel.pisa.it> on 2003/11/10 09:58:02 UTC
[users@httpd] Please help with certificates
Hi,
I'm using Apache + mod_ssl.
In order to retrieve a user certificate (from a smart card) I've these files
in the server:
1) server_webtest.p12
2) ca.cer (DER format)
after I have trasformed them with openssl:
$ openssl pkcs12 -in server_webtest.p12 -out hostkey.pem -nodes -nocerts
$ openssl pkcs12 -in server_webtest.p12 -out hostcert.pem -nodes -nokeys
and
$ openssl x509 -inform DER -in ca.cer -outform PEM -out ca.crt
I have modified the conf/httpd.conf file with:
SSLCertificateFile /home/caribel/certs/hostcert.pem
SSLCertificateKeyFile /home/caribel/certs/hostkey.pem
SSLCACertificateFile /home/caribel/certs/ca.crt
SSLVerifyClient require
the error (from logs/error_log):
[Mon Nov 10 11:22:22 2003] [alert] httpd: Could not determine the server's
fully qualified domain name, using 127.0.0.1 for ServerName
[Mon Nov 10 11:22:22 2003] [notice] Apache/1.3.28 (Unix) mod_jk/1.2.5
mod_ssl/2.8.15 OpenSSL/0.9.7c configured -- resuming normal operations
[Mon Nov 10 11:22:22 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Mon Nov 10 11:22:36 2003] [error] mod_ssl: Certificate Verification: Error
(19): self signed certificate in certificate chain
[Mon Nov 10 11:22:36 2003] [error] mod_ssl: SSL handshake failed (server
linux135:443, client 192.168.1.71) (OpenSSL library error follows)
[Mon Nov 10 11:22:36 2003] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Mon Nov 10 11:22:39 2003] [error] mod_ssl: Certificate Verification: Error
(19): self signed certificate in certificate chain
[Mon Nov 10 11:22:39 2003] [error] mod_ssl: SSL handshake failed (server
linux135:443, client 192.168.1.71) (OpenSSL library error follows)
[Mon Nov 10 11:22:39 2003] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Mon Nov 10 11:22:43 2003] [error] mod_ssl: Certificate Verification: Error
(19): self signed certificate in certificate chain
[Mon Nov 10 11:22:43 2003] [error] mod_ssl: SSL handshake failed (server
linux135:443, client 192.168.1.71) (OpenSSL library error follows)
[Mon Nov 10 11:22:43 2003] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
any idea where could be my error?
Thanks and have a nice day
-- Ivan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] R: [users@httpd] Please help with certificates
Posted by Ivan Venuti <i....@caribel.pisa.it>.
> Take a look at this
> http://www.karkomaonline.com/article.php?story=20030713003329816
>Hope this helps
Thanks a lot!
now the server responds correctly
-- Ivan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Please help with certificates
Posted by kko <ka...@karkomaonline.com>.
On Mon, 2003-11-10 at 08:58, Ivan Venuti wrote:
> Hi,
>
> I'm using Apache + mod_ssl.
> In order to retrieve a user certificate (from a smart card) I've these files
> in the server:
>
> 1) server_webtest.p12
Why did you create a p12 for your server? This format is typically used
by your client (i.e browser)
> 2) ca.cer (DER format)
I assume this is the file containing CA certs, right?
>
> after I have trasformed them with openssl:
>
> $ openssl pkcs12 -in server_webtest.p12 -out hostkey.pem -nodes -nocerts
> $ openssl pkcs12 -in server_webtest.p12 -out hostcert.pem -nodes -nokeys
See below...
>
> and
>
> $ openssl x509 -inform DER -in ca.cer -outform PEM -out ca.crt
>
> I have modified the conf/httpd.conf file with:
>
> SSLCertificateFile /home/caribel/certs/hostcert.pem
> SSLCertificateKeyFile /home/caribel/certs/hostkey.pem
> SSLCACertificateFile /home/caribel/certs/ca.crt
> SSLVerifyClient require
>
> the error (from logs/error_log):
>
> [Mon Nov 10 11:22:22 2003] [alert] httpd: Could not determine the server's
> fully qualified domain name, using 127.0.0.1 for ServerName
What's the value of your ServerName Directive in httpd.conf?
> [Mon Nov 10 11:22:22 2003] [notice] Apache/1.3.28 (Unix) mod_jk/1.2.5
> mod_ssl/2.8.15 OpenSSL/0.9.7c configured -- resuming normal operations
> [Mon Nov 10 11:22:22 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
> [Mon Nov 10 11:22:36 2003] [error] mod_ssl: Certificate Verification: Error
> (19): self signed certificate in certificate chain
> [Mon Nov 10 11:22:36 2003] [error] mod_ssl: SSL handshake failed (server
> linux135:443, client 192.168.1.71) (OpenSSL library error follows)
> [Mon Nov 10 11:22:36 2003] [error] OpenSSL: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> [Mon Nov 10 11:22:39 2003] [error] mod_ssl: Certificate Verification: Error
> (19): self signed certificate in certificate chain
> [Mon Nov 10 11:22:39 2003] [error] mod_ssl: SSL handshake failed (server
> linux135:443, client 192.168.1.71) (OpenSSL library error follows)
> [Mon Nov 10 11:22:39 2003] [error] OpenSSL: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> [Mon Nov 10 11:22:43 2003] [error] mod_ssl: Certificate Verification: Error
> (19): self signed certificate in certificate chain
> [Mon Nov 10 11:22:43 2003] [error] mod_ssl: SSL handshake failed (server
> linux135:443, client 192.168.1.71) (OpenSSL library error follows)
> [Mon Nov 10 11:22:43 2003] [error] OpenSSL: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>
Why didn't you create your csr/crt/pem directly and sign them?
Take a look at this
http://www.karkomaonline.com/article.php?story=20030713003329816
Hope this helps
--
kko <ka...@karkomaonline.com>
karkomaonline
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org