Am 26.04.2012 15:58, schrieb Tammany, Curtis:
I don't see this as an Apache issue. The site has required client certs for
years now and Apache was configured to require client certificates.
I have intermediate DOD certs on the server but OpenSSL sees my DoD Root
certificate as un-trusted self-signed so the chain is broken. From
http://www.openssl.org/support/faq.html:
" 5. Why does<SSL program> fail with a certificate verify error?
This problem is usually indicated by log messages saying something like "unable to get local issuer
certificate" or "self signed certificate". When a certificate is verified its root CA must be
"trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file
and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues
similar error messages: check the verify(1) program manual page for more information."
How can I get OpenSSL to "trust" my DOD root certificate?
Hmm, seems like we both are a bit wrong... :-)
You have to tell Apache about the trusted CA certificates, so that
Apache can tell OpenSSL where to look for them.
The Apache directives for this are SSLCACertificatePath if you are using
multiple certificate files in a directory, or SSLCACertificateFile if
you use a single file with all CA certificates concatenated. See
http://www.apache-ssl.org/docs.html#SSLCACertificateFile. That's the
Apache part.
The OpenSSL part is that your SSLCACertificatePath or
SSLCACertificateFile must contain the certificates of all your trusted
CAs, including the intermediate certificates in a specific format.
(N.B.: The intermediate certificates are not essential if your clients
can provide them during SSL handshake, but it's more reliable if you add
them to your server's list.)
For more details on how the file or directory have to look like see for
example http://www.openssl.org/docs/apps/verify.html or
http://www.openssl.org/docs/apps/s_server.html
Is this closer to the mark?
Ted
;)
Curtis
-----Original Message-----
From: Bernhard Fröhlich [mailto:t...@convey.de]
Sent: Thursday, April 26, 2012 09:39
To: openssl-users@openssl.org; Tammany, Curtis
Subject: Re: How to trust a 'root' certificate
Am 26.04.2012 15:15, schrieb Tammany, Curtis:
Hello-
I am running Apache 2.2.22 with OpenSSL 1.0.1 on Windows (XP for dev and
server 2003 for production)
The site requires client (CAC) certificates.
I am getting "FAILED:unable to get local issuer certificate" errors in my
log file from Windows 7 clients. Digging suggested that I check the
intermediate certificates that I have on the server with the openssl verify
command which returned "error 18 at 0 depth lookup:self signed certificate"
Running openssl version -d returns "OPENSSLDIR: "c:/openssl-1.0.1/ssl". That
folder does not exist on my servers.
I think I need to get OpenSSL to trust the self signed certificate. What
steps do I take?
Thank you.
This is an Apache question and is only loosely connected to OpenSSL.
I'll take the liberty to forward you to CAcert.org's WiKi which has a
page explaining on how to configure Apache for client certificates at
http://wiki.cacert.org/ApacheServerClientCertificateAuthentication
It may not be exactly what you need but might give you the right ideas.
Otherwise Apache's support groups may be able to help you in more detail.
I hope this helps a bit,
Ted
;)
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org