How do I make the root CA known to apache but not valid for client authentication? (only the sub root CA that signed the server/client should be valid. (apache1.3.17,modssl2.8,openssl0.9.6) I've got a three tier cert hierarchy like: root ca --signs--> project ca --signs--> server/client certs The problem is that unless I place the root ca in SSLCACertificateFile or SSLCACertificatePath apache complains about not being able to locate the local issuer. If I place the root in either of these apache allows server/client certs that were signed directly by the root ca to access the server (when I only want to allow certs signed by the project ca) I would think that one should only need SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile (containing the project ca and root ca), SSLCACertificateFile (containing just the project ca), SSLVerifyClient require, and SSLVerifyDepth 2. These settings do not work as advertised. Only the project CA is loaded startup (looking at the ssl_engine_log) and when attempting to do a client connection, apache says it can't find the local issuer (this would seem to be the root ca, which IS IN the chain!! isnt that enough?). If I add the root ca to the SSLCACertificateFile or SSLCACertificatePath apache allows clients signed by the root CA access. Does apache not support three tier certificate hierarchies? Any other things I should try? I know that the last two paragraphs basically restated the same issue but hopefully one of them will be clear enough for someone to understand. -Matthew Lenz ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
