Installing CA in Apache

Rick Welykochy Tue, 29 Feb 2000 15:02:06 -0800
Simple question 
[ Apache/1.3.9 (Unix) mod_ssl/2.4.8 OpenSSL/0.9.4 mod_perl/1.21 ]

I wish Apache to authenticate using client certs.
>From httpd.conf:

    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLCACertificateFile conf/ssl.crt/snakeoil-ca-rsa.crt
    SSLOptions   +FakeBasicAuth +StrictRequire                                        

I've got this working to the following point:

(*) I've installed two personal certs in Netscape
(*) Netscape reports that I have no User Cert!
(*) Netscape connects to Apache, but the Apache reports
    the following in the error log:

OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate [Hint: No CAs known to server for verification?] 

I tried this - remove CA options from Apache config:

    SSLVerifyClient require
    SSLVerifyDepth 1
    ##SSLCACertificateFile conf/ssl.crt/snakeoil-ca-rsa.crt
    ##SSLOptions   +FakeBasicAuth +StrictRequire                                       
 

Now Netscape brings up the cert selection dialogue. I enter password
for a cert I select, but Apache (of course) cannot validate it:

[Wed Mar  1 09:44:57 2000] [error] mod_ssl: Certificate Verification:
Error (20): unable to get local issuer certificate

[Wed Mar  1 09:44:57 2000] [error] mod_ssl: SSL handshake failed
(server bini.in.ce.com.au:443, client 172.16.1.156) (OpenSSL library error follows)

[Wed Mar  1 09:44:57 2000] [error] OpenSSL: error:140890B2:
SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 

My guess: I haven't told the Apache server about Thawte, Verisign, etc.
as Root CA's. Now, Netsccape comes with the root CA's installed.
How do I provide these to Apache? (Obviously, the snake-oil CA is
useless). And I don't want to fake it with my own local CA - no point.

All comments and suggestions welcome.

BTW: I couldn't locate this information in the mod_ssl docs ;(
[or I missed it after reading the screen for two hours]


Cheers,
Rick W




---------- Rick Welykochy ----- [EMAIL PROTECTED] -----------
Corporate Express Australia - Electronic Commerce Team
Order office products from http://www.ce.com.au
Ph 02-9335-0435  Fax 02-9335-0753  Helpdesk 02-9335-0501
Opinions expressed in this message are my own and not representative
of Corporate Express Australia Limited.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
Installing CA in Apache

Reply via email to
