On 04/26/2012 05:20 PM, Tammany, Curtis wrote:
In my htaccess file I have the following:
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +ExportCertData
In my httpd.conf file, I have the following:
SSLCACertificatePath conf/certs/
SSLCACertificateFile conf/certs/DOD_EMAILCerts.crt
I am not sure which one takes precedence, but having
both is probaly not ok with apache. Try :
cd conf/certs/
c_rehash
That's for linux. But for windows, the openssl logic is
the same, it open the file. opensll doesn't know whether
it is a link or a file.
So ....
DOD_EMAILCerts.crt contains the root cert plus many intermediates.
The site has been working fine for the most part for years. We are tracking
SSL_CLIENT_VERIFY in our log file and with some Windows 7 clients, they cannot connect
and we are seeing " FAILED:unable to get local issuer certificate" in the log.
As I said in an earlier email, used the openssl version -d command and it responded:
"OPENSSLDIR: "c:/openssl-1.0.1/ssl" That folder does not exist.
Running openssl verify DOD_EMAILCerts.crt (with the cert file in the bin
folder) returns:
DOD_EMAILCerts.crt: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD
Root CA 2
error 18 at 0 depth lookup:self signed certificate
OK
with that command you are verifying the first cert in that file, and
since it
it is probably self signed, you cannot do that.
If, on the other hand you happen to have an intermediate as the
beginning you get the other cannot find issuer message.
From http://www.madboa.com/geek/openssl/ I read:
" error 18 at 0 depth lookup:self signed certificate. Unless you make an exception,
OpenSSL won’t verify a self-signed certificate."
They also go on to say:
" How do I get OpenSSL to recognize/verify a certificate?
Put the file that contains the certificate you’d like to trust into the certs
directory discussed above. Then create the hash-based symlink. Here’s a little
script that’ll do just that.
#!/bin/sh
#
# usage: certlink.sh filename [filename ...]
for CERTFILE in $*; do
# make sure file exists and is a valid cert
test -f "$CERTFILE" || continue
HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
test -n "$HASH" || continue
# use lowest available iterator for symlink
for ITER in 0 1 2 3 4 5 6 7 8 9; do
test -f "${HASH}.${ITER}"&& continue
ln -s "$CERTFILE" "${HASH}.${ITER}"
test -L "${HASH}.${ITER}"&& break
done
done"
That is for Linux.
How do I get OpenSSL to recognize/verify a certificate on Windows XP/2003?
(like step-by-step instructions).
... instead of ln -s you can create a copy ...
for more detailed instruction, I'll can charge you 100EUR per line. :-)
...
... Just put all the CA certificates into one file and remove the
SSLCACertificatePath
and just keep the
SSLCACertificateFile
Thanks.
Curtis
-----Original Message-----
From: Peter Sylvester [mailto:peter.sylves...@edelweb.fr]
Sent: Thursday, April 26, 2012 10:40
To: openssl-users@openssl.org
Cc: Tammany, Curtis; Bernhard Fröhlich
Subject: Re: How to trust a 'root' certificate
On 04/26/2012 03:58 PM, Tammany, Curtis wrote:
I don't see this as an Apache issue. The site has required client certs for
years now and Apache was configured to require client certificates.
I have intermediate DOD certs on the server but OpenSSL sees my DoD Root
certificate as un-trusted self-signed so the chain is broken. From
http://www.openssl.org/support/faq.html:
" 5. Why does<SSL program> fail with a certificate verify error?
This problem is usually indicated by log messages saying something like "unable to get local issuer
certificate" or "self signed certificate". When a certificate is verified its root CA must be
"trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file
and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues
similar error messages: check the verify(1) program manual page for more information."
How can I get OpenSSL to "trust" my DOD root certificate?
In general all certificates that you have in the apache as client CAs
are trusted but they need
to chain up to some root which must be part of the set.
If the certficates are in a directory, and you have changed the openssl
version, you
might want to rehash. The hash logic had been changed at some version.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
