Hi all,
I was able to get mutual authentication to work with a single-tier hierarchy
(using only a root). My root is a Netscape CA. Now, due to policy reasons, I
have added another CA (again it's Netscape) to my hierarchy. Here's what it
looks like:
Root
|
Intermediate CA
|
Apache Server Certificate and User Certificate
In looking at the documentation, it appears that I need to first load the
Intermediate CA and then the root in the ca-bundle.crt file (which I have done
both this way and the other way). After making this change, I did a make in
the directory containing the server and CA certs, and then restarted the
server.
I performed baby steps after adding the chain of certs. I first did one-way
authentication and was able to successfully access the server. Then, I
required two-way authentication and this is where I received the problems.
The server complained that no client certificate was passed. I turned on debug
mode on the SSL logs to see what was happening. I determined that both the
server and the client passed the entire chain of certificates to each other as
I could see the chains in the log file. Then, after the client passed its
chain of certificates, I receive the logs said that the certificate
verification depth is 2 (which is correct) and that the subject and the issuer
is the ROOT and then says certificate verification error: certificate signature
failure! Then it spits out that no client certificate was passed.
Any help would be greatly appreciated.
Lorrayne Schaefer
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
