I have a self signed ca, with multiple sub-ca's.
root
-sub-ca1
-sub-ca2
-server
I sign client certificates with either -sub-ca1 or -sub-ca2, and use server
to sign certificates for the actual website. So in my apache config, i have
this:
SSLEngine on
SSLOptions +stdEnvVars
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /data/keys/test.crt
SSLCertificateKeyFile /data/keys/test.key
SSLCertificateChainFile /data/keys/chain.pem
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /data/keys/ca.pem
test.crt is signed by server.
chain.pem contains server and root in that order
ca.pem contains sub-ca2 and root in that order
Everything seems to work fine except for the fact that the website also
excepts client certificates signed by sub-ca1. But I'm trying to restrict
this site to only sub-ca2 clients.
I tried:
1) removing the root from ca.pem, that gives me a "Certificate Verification:
Error (2): unable to get issuer certificate" error.
2) removing the root from ca.pem adding sub-ca2 to chain.pem, same error.
3) changing SSLVerifyDepth to 1, that give me a "Certificate Verification:
Certificate Chain too long (chain has 2 certificates, but maximum allowed
are only 1)" error.
Anyone know how to get apache to only allow clients from one sub-ca but not
others signed by the same root?
--
View this message in context:
http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22469681.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majord...@modssl.org
