In my htaccess file I have the following: SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 5 SSLOptions +ExportCertData
In my httpd.conf file, I have the following: SSLCACertificatePath conf/certs/ SSLCACertificateFile conf/certs/DOD_EMAILCerts.crt DOD_EMAILCerts.crt contains the root cert plus many intermediates. The site has been working fine for the most part for years. We are tracking SSL_CLIENT_VERIFY in our log file and with some Windows 7 clients, they cannot connect and we are seeing " FAILED:unable to get local issuer certificate" in the log. As I said in an earlier email, used the openssl version -d command and it responded: "OPENSSLDIR: "c:/openssl-1.0.1/ssl" That folder does not exist. Running openssl verify DOD_EMAILCerts.crt (with the cert file in the bin folder) returns: DOD_EMAILCerts.crt: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 2 error 18 at 0 depth lookup:self signed certificate OK From http://www.madboa.com/geek/openssl/ I read: " error 18 at 0 depth lookup:self signed certificate. Unless you make an exception, OpenSSL won’t verify a self-signed certificate." They also go on to say: " How do I get OpenSSL to recognize/verify a certificate? Put the file that contains the certificate you’d like to trust into the certs directory discussed above. Then create the hash-based symlink. Here’s a little script that’ll do just that. #!/bin/sh # # usage: certlink.sh filename [filename ...] for CERTFILE in $*; do # make sure file exists and is a valid cert test -f "$CERTFILE" || continue HASH=$(openssl x509 -noout -hash -in "$CERTFILE") test -n "$HASH" || continue # use lowest available iterator for symlink for ITER in 0 1 2 3 4 5 6 7 8 9; do test -f "${HASH}.${ITER}" && continue ln -s "$CERTFILE" "${HASH}.${ITER}" test -L "${HASH}.${ITER}" && break done done" That is for Linux. How do I get OpenSSL to recognize/verify a certificate on Windows XP/2003? (like step-by-step instructions). Thanks. Curtis -----Original Message----- From: Peter Sylvester [mailto:peter.sylves...@edelweb.fr] Sent: Thursday, April 26, 2012 10:40 To: openssl-users@openssl.org Cc: Tammany, Curtis; Bernhard Fröhlich Subject: Re: How to trust a 'root' certificate On 04/26/2012 03:58 PM, Tammany, Curtis wrote: > I don't see this as an Apache issue. The site has required client certs for > years now and Apache was configured to require client certificates. > > I have intermediate DOD certs on the server but OpenSSL sees my DoD Root > certificate as un-trusted self-signed so the chain is broken. From > http://www.openssl.org/support/faq.html: > > " 5. Why does<SSL program> fail with a certificate verify error? > This problem is usually indicated by log messages saying something like > "unable to get local issuer certificate" or "self signed certificate". When a > certificate is verified its root CA must be "trusted" by OpenSSL this > typically means that the CA certificate must be placed in a directory or file > and the relevant program configured to read it. The OpenSSL program 'verify' > behaves in a similar way and issues similar error messages: check the > verify(1) program manual page for more information." > > How can I get OpenSSL to "trust" my DOD root certificate? > > In general all certificates that you have in the apache as client CAs are trusted but they need to chain up to some root which must be part of the set. If the certficates are in a directory, and you have changed the openssl version, you might want to rehash. The hash logic had been changed at some version.
