There were no replies so I thought I would repost one final time.
I am running RH6.1 with:
Server: Apache/1.3.11 (Unix) PHP/3.0.14 mod_ssl/2.5.0 OpenSSL/0.9.4
I am trying to require a client cert with:
SSLVerifyClient require
And I have my CA's Cert in PEM format under:
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.crt
Unfortunately my error log says:
mod_ssl: Certificate Verification: Error (20): unable to get local
issuer certificate
QUESTION ONE:
My CA's cert is a version 1 cert
Is this the reason for the problem?
QUESTION TWO:
Before writing this letter I wanted to try recreating the test with a
version 3 cert for my CA. To my surprise both MSIE and Netscape refuse
to use the new client
certs. (based on the new CA)
It simply doesn't show up on the list when the browser asks you to
choose a cert for
the site. The client certs are fine for S/MIME and such though.
Even tried creating a cert with the cca.sh script and the cert is
fine. except it
doesn't show up in the list of available cert when doing certificate
verification .
Has anyone seen this before?
QUESTION THREE:
I am building a CA for real so my root cert better by right the first
time.
Given the choice was is better for a root cert:
A version 1 cert or..
A version 3 cert with the basic constraints set?
Thanks for any feedback
Gerald
--------------------------------------------------------------------
I n t e r K n o w l e d g e
Gerald Villemure
I am a DO-er, not a TRY-er. email: [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
