On 04/26/2012 03:58 PM, Tammany, Curtis wrote:
I don't see this as an Apache issue. The site has required client certs for
years now and Apache was configured to require client certificates.
I have intermediate DOD certs on the server but OpenSSL sees my DoD Root
certificate as un-trusted self-signed so the chain is broken. From
http://www.openssl.org/support/faq.html:
" 5. Why does<SSL program> fail with a certificate verify error?
This problem is usually indicated by log messages saying something like "unable to get local issuer
certificate" or "self signed certificate". When a certificate is verified its root CA must be
"trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file
and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues
similar error messages: check the verify(1) program manual page for more information."
How can I get OpenSSL to "trust" my DOD root certificate?
In general all certificates that you have in the apache as client CAs
are trusted but they need
to chain up to some root which must be part of the set.
If the certficates are in a directory, and you have changed the openssl
version, you
might want to rehash. The hash logic had been changed at some version.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org