Has anyone got their Globus CA signed with a gatekeeper host certificate
"server certificate" to operate a web site and authenticate
with a Netscape Communicator client?
I am using the apache 1.3.12 (w/mod_ssl) web server on Linux 2.2.16-3smp
using Globus1.1.3 and OpenSSL 0.9.5a.
I have spent many hours on this and I can't get the client authenticated,
with
SSLVerifyClient required
SSLVerifyDepth 1 [or 2] neither work
If I turn client authentication off,
SSLVerifyClient none
SSLVerifyDepth 0
of course, it works fine, but I need to authenticate my clients.
I did however learn, how to get the Globus CA installed into my
Netscape Communicator browser as a trusted certificate. You
have to add the MIME type "application/x-x509-ca-cert" to your
Netscape preferences.
See URL, step 3
http://www.graphics.lcs.mit.edu/vrmlTracer/installCertificate.html
I used the Globus CA certificate 42864e48.0 located in the
/opt/globus1.1.3/share/certificates directory as the apache
SSLCACertificateFile.
I also tried pointing to the directory where all the CA are located with
the apache SSLCACertificatePath directive.
I used /opt/globus1.1.3/etc/globus-gatekeeper.cert as the apache
SSLCertifcateFile, and
/opt/globus1.1.3/etc/globus-gatekeeper.key as the apache
SSLCertifcateKey.
I used the globus-gatekeeper.cert as my user "Client"
certificate and generated it as follows:
openssl pkcs12 -export -in /opt/globus1.1.3/etc/globus-gatekeeper.cert
-inkey /opt/globus1.1.3/etc/globus-gatekeeper.key -certfile
/opt/globus/share/certificates/42864e48.0 -out netscape.bernie.cert.p12
-name 'Bernie'
Enter Export Password:
Verifying password - Enter Export Password:
I had to use the globus-gatekeeper.cert as my client cert as Netscape
Communicator requires the common name CN to be the host name of the web
server you are trying to access.
APACHE LOGS THE FOLLOWING:
OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return a certificate [Hint: No CAs known to server for
verification?]
NETSCAPE COMMUNICATOR POPS THE FOLLOWING WINDOW:
No User Certificate
______________________________
If I don't get anywhere on this soon, I will have to use a commercial CA
to sign my Apache web server and client certificates.
Any help would be much appreciated.
-- Tammy
==================================================
Tammy M. Blaser
NASA John H. Glenn Research Center
Flight Software Engineering Organization 7750
Mail stop 86-11
216-433-2699 (office)
216-433-8269 (fax)
[EMAIL PROTECTED]
==================================================
