You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Lampa <la...@gmail.com> on 2009/08/25 19:37:12 UTC

[users@httpd] SSL client authentication with multiple CA

Hello,

on http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
is Context: server config, virtual host, but in examples are used in
Directory Context, so i assumed that is documentation typo.

Using web server with HTTPS (crt signed by thawte), but my problem is
that i tried to use client auth with certs, now i have 2 (in future
will grow) directories which should be protected. I have one CA (self
signed eg. root CA - conf/ssl/v1.crt) for version 1, second version
uses own CA (intermediate - conf/ssl/ca/v2.crt) which is issued by
other root CA (conf/ssl/ca/v2root.crt) (different from version 1),
file conf/ssl/ca.crt contains chained version 1 and 2 (eg 2 certs).
This setting is working weird - v2 is using v1 certificates, which
must not. I need only access to v1/  with v1.crt signed certs and v2/
with v2.crt signed certs. I tried used example from
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#certauthenticate
(second example - with clients are all part of a common hierarchy,
which is encoded into the DN) but i have 2 directories and 2 CA, if i
enable commented  SSLCACertificateFile conf/ssl/ca/v2.crt for v2, v1
stop working and get  Re-negotiation handshake failed: Not accepted by
client!? in error.log.

Any advices and help would be most welcome.

Thank you.

config snippet (options are in server context):

....
SSLCertificateChainFile conf/ssl/ca.crt

<Directory /var/www/app/v1>
       SSLVerifyClient require
       SSLVerifyDepth 1

       SSLCACertificateFile conf/ssl/v1.crt
</Directory>

<Directory /var/www/app/v2>
       SSLVerifyClient require
       SSLVerifyDepth 2
       SSLOptions +ExportCertData +StrictRequire
#       SSLCACertificateFile conf/ssl/ca/v2.crt
       SSLCACertificatePath conf/ssl/ca
       SSLRequireSSL
</Directory>
...

-- 
Lampa

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org