I had exactly the same issue.
The problem was that when I moved to this new type of cert [sub CA], I didn't read all the installation information :-)
We used BT Trust Services which provided an 'intermediate certificate'
The intermediate cert is required to identified the Root CA.
I downloaded it from their site on our server.
I used the SSLCertificateChainFile directive first but still the server wouldn't start
Error was:
[Wed Aug 20 19:41:22 2003] [error] Failed to configure CA certificate chain!
I then used:
SSLCACertificateFile /www/ssl/oursite.co.uk/intermediate.crt
SSLCertificateFile /www/ssl/oursite.co.uk/oursite.crt
SSLCertificateKeyFile /www/ssl/oursite.co.uk/oursite.key
It works perfectly with Apache 2.0.4xHope this helps.
Regards Bruno Georges On Friday, Oct 24, 2003, at 15:04 Europe/London, Chris Covell wrote:
Hello there, can any of you guys help me with this problem please ?
I have been using mod_ssl and client authentication via apache for some time
now without any problems. My Apache configuration has been the usual:
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLCACertificateFile /etc/httpd/conf/ssl.crt/cacert.crt
No worries.
Up until now the CA certificate has always been a self signed root CA. But
today I need to use a web server cert signed by a sub CA and have my clients
authenticated using certs from the sub CA.
I did not think that this would be a problem, so I just copied the correct
files in to the correct places (sub ca cert to SSLCACertificateFile and
server cert to SSLCertificateFile). But I got a page not found error in IE
and the Apache error:
mod_ssl: Certificate Verification: Error (20): unable to get local issuer
certificate
OK, so I implemented the SSLCertificateChainFile
with a bundle of the two certs in my chain, sub and root.
I know openssl can get them because:
openssl verify -CAfile chain.crt server.crt
works a treat.
I have now tried various combinations of chain file content (root ca, sub ca,
etc) and even putting the chain certs in the server.crt file, but none of
these helps.
I am running an "up2date" RedHat 7.2 with out the box apache and mod ssl.
Has anyone got an answer for me, please !!!!! I am sure this is possible, and
none of the docs seem to sugest that I am going to have any issues.
Chris...
______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Bruno Georges Xbridge Ltd Tel: +44 (0) 207 378 9830 Mob: +44 (0) 787 988 4895
______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
