Fitzner Daniel wrote:
Hi Daniel,Hello guys,
I have following pki-environment:
RootCA | | Issuing SubCA-1 Issuing SubCA-2 | | UserCert-A UserCert-B
I want to make clientauthentication with certificates only for user with certs from the Issuing SubCA-2.
So I made the follwing configuration:
SSLVerifyClient require SSLCACertificateFile CACHAIN.PEM SSLVerifyDepth 2
CACHAIN.PEM includes the cert from RootCA and from the Issuing SubCA-2.
Now comes the problem. Not only users with certs from SubCA-2 can connect, also users with certs from the SubCA-1 (f.i. UserCert-A) can connect.
How can I avoid this???
I tried to use only the certificate from SubCA-2 in the directive (SSLCACertificateFile SubCA-2.pem), but with this config noone can connect, also not the clients with certs from SubCA-2.
I know the possibility to check for various ingredients of the client certficate (http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particular) but I don't want to use this.
I readed an old post (http://www.mail-archive.com/modssl-users@modssl.org/msg10335.html) in this mailinglist. This post said, that users with certs from SubCA-1 should not be connect.
Please help, I have no new ideas.
Best regards daniel
______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
have a look at this topic of the moddsl howto, it will help you solve your problem : http://www.modssl.org/docs/2.8/ssl_howto.html#ToC8
Good luck.
-- Charles-Edouard Ruault Idtect SA 115 rue Reaumur - 75002, Paris, France Tel: +33-1-55-34-76-65 Fax: +33-1-55-34-76-75 Web: http://www.idtect.com
______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
