1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

SSL Client Authentication

Discussion in 'Apache' started by Pesho318i, Apr 14, 2014.

0
  1. #1
    Hello everyone,

    I have been trying to set ssl client authentication with Apache and I am not sure what I am doing wrong...

    I basically have a server certificate issued by GeoTrust/RapidSSL. For the normal ssl authentication I use the following configuration (and it works fine): 

    SSLEngine on 
SSLCertificateFile /etc/ssl/certs/my-domain.crt 
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt 
SSLCertificateKeyFile /etc/ssl/private/private.pem
    Code (markup):
    For the client authentication I created client certificate using the my-domain.crt and private.pem to sign it. Here is the openssl command: 

    openssl ca -config openssl.cnf -days 360 -in client.csr -out client.crt -keyfile private.pem -cert my-domain.crt -policy policy_anything
    Code (markup):
    I created a certificate chain file by pasting my-domain.crt and then intermediate.crt into one whole my-domain-full.pem file.
    And to the Apache configuration I added: 

    SSLVerifyClient optional 
SSLVerifyDepth 10 
SSLCACertificateFile /etc/ssl/certs/my-domain-full.pem
    Code (markup):
    I converted the client.crt into pkcs12 format and loaded it into the browser. Then I tried accessing my-domain and got the following error:
    Peer does not recognize and trust the CA that issued your certificate. (Error code: ssl_error_unknown_ca_alert)

    I hope you can see what I'm doing wrong... Thanks in advance for any hints!
     
    Pesho318i, Apr 14, 2014 IP