Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: SSL Client Authentication |
|
| Author |
|
pesho318i
Joined: 14 Apr 2014
Posts: 1
|
 Posted: Mon 14 Apr '14 11:58 Post subject: SSL Client Authentication |
 |
|
Hello everyone,
I have been trying to set ssl client authentication with Apache and I am not sure what I am doing wrong...
I basically have a server certificate issued by a recognized CA. For the normal ssl authentication I use the following configuration (and it works fine):
| Code: | SSLEngine on
SSLCertificateFile /etc/ssl/certs/my-domain.crt
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
SSLCertificateKeyFile /etc/ssl/private/private.pem |
For the client authentication I created client certificate using the my-domain.crt and private.pem to sign it. Here is the openssl command:
| Code: | | openssl ca -config openssl.cnf -days 360 -in client.csr -out client.crt -keyfile private.pem -cert my-domain.crt -policy policy_anything |
... I created a certificate chain file by pasting my-domain.crt and then intermediate.crt into one whole my-domain-full.pem file.
And to the Apache configuration I added:
| Code: | SSLVerifyClient optional
SSLVerifyDepth 10
SSLCACertificateFile /etc/ssl/certs/my-domain-full.pem |
I converted the client.crt into pkcs12 format and loaded it into the browser. Then I tried accessing my-domain and got the following error:
Peer does not recognize and trust the CA that issued your certificate. (Error code: ssl_error_unknown_ca_alert)
I hope you can see what I'm doing wrong... Thanks in advance for any hints! |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7298
Location: Germany, Next to Hamburg
|
| Posted: Sun 20 Apr '14 19:32 Post subject: |
|
|
| The browser doesn't know the CA cert. So you may to to import it,too. |
|
| Back to top |
|
|
|
|
|
|
