Client Verification with sub ca's
I have a self signed ca, with multiple sub-ca's. root -sub-ca1 -sub-ca2 -server I sign client certificates with either -sub-ca1 or -sub-ca2, and use server to sign certificates for the actual website. So in my apache config, i have this: SSLEngine on SSLOptions +stdEnvVars SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/keys/test.crt SSLCertificateKeyFile /data/keys/test.key SSLCertificateChainFile /data/keys/chain.pem SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /data/keys/ca.pem test.crt is signed by server. chain.pem contains server and root in that order ca.pem contains sub-ca2 and root in that order Everything seems to work fine except for the fact that the website also excepts client certificates signed by sub-ca1. But I'm trying to restrict this site to only sub-ca2 clients. I tried: 1) removing the root from ca.pem, that gives me a Certificate Verification: Error (2): unable to get issuer certificate error. 2) removing the root from ca.pem adding sub-ca2 to chain.pem, same error. 3) changing SSLVerifyDepth to 1, that give me a Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1) error. Anyone know how to get apache to only allow clients from one sub-ca but not others signed by the same root? -- View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22469681.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Client Verification with sub ca's
Hi, Same setup as works with both subCAs. Use the SSLRequire directive. Restrict on the client certs issuer field (SSL_CLIENT_I_DN...). Regards Matt - Original Message From: leanmeandonothingmachine leanmeandonothingmach...@gmail.com To: modssl-users@modssl.org Sent: Thursday, March 12, 2009 2:03:07 PM Subject: Client Verification with sub ca's I have a self signed ca, with multiple sub-ca's. root -sub-ca1 -sub-ca2 -server I sign client certificates with either -sub-ca1 or -sub-ca2, and use server to sign certificates for the actual website. So in my apache config, i have this: SSLEngine on SSLOptions +stdEnvVars SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/keys/test.crt SSLCertificateKeyFile /data/keys/test.key SSLCertificateChainFile /data/keys/chain.pem SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /data/keys/ca.pem test.crt is signed by server. chain.pem contains server and root in that order ca.pem contains sub-ca2 and root in that order Everything seems to work fine except for the fact that the website also excepts client certificates signed by sub-ca1. But I'm trying to restrict this site to only sub-ca2 clients. I tried: 1) removing the root from ca.pem, that gives me a Certificate Verification: Error (2): unable to get issuer certificate error. 2) removing the root from ca.pem adding sub-ca2 to chain.pem, same error. 3) changing SSLVerifyDepth to 1, that give me a Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1) error. Anyone know how to get apache to only allow clients from one sub-ca but not others signed by the same root? -- View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22469681.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Client Verification with sub ca's
thanks that works, a little tricky if you want to use SSLVerifyClient optional, as it 403s everything in that case instead just not filling in the client variables. But I can always do that programmaticaly if I need it. -- View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22478223.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Client Verification with sub ca's
thanks that works, a little tricky if you want to use SSLVerifyClient optional, as it 403s everything in that case instead of just not filling in the client variables. But I can always do that programmaticaly if I need it. -- View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22478226.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
