Actually I figured out what the problem was after I posted this message.
I had the ca cert in the right directory but it did not have the hashed soft link
to the cert in the same directory, therefore openssl did not see it. I still can't get
the operator serial number to come up on the raserver and the signature and serial number
are not displayed in the ca server during the approval process even though the
operator correctly approved and signed the request...
Thanks for the help!
Jon Groce
Service & Network Operations
Concert Integrated Security Services (CISS)
[EMAIL PROTECTED]
voice +1 770.333.4629
fax +1 770.333.4899
-----Original Message-----
From: songyi [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 22, 2000 9:14 PM
To: [EMAIL PROTECTED]
Subject: [openca-users:168] Re: Problems accesssing RA Server
securely....
Have you put your CAServer's cert in /etc/httpd/conf/ssl.crt/ directory?
And config it in httpd.conf like this:
SSLCACertificatePath /etc/httpd/conf/ssl.crt
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca.crt
----- Original Message -----
From: Groce, Jonathan (CRTATL) <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, December 23, 2000 2:15 AM
Subject: [openca-users:167] Problems accesssing RA Server securely....
> > I am not sure if this has been covered before but I am still having
> > problems so here goes....
> >
> > When I set the SSLVerifyClient to 'require' in httpd.conf I am unable to
> > access the RA Server
> > using https. The output of the error_log is as follows (I have altered the
> > URLs) :
> >
> > [Fri Dec 22 12:53:02 2000] [error] mod_ssl: Certificate Verification:
> > Error (20): unable to get local issuer certificate
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > [Fri Dec 22 12:53:02 2000] [error] mod_ssl: SSL handshake failed (server
> > raserver.concert.com:443, client myip.concert.com)
> > [Fri Dec 22 12:53:02 2000] [error] OpenSSL: error:140890B2:SSL
> > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> >
> > I have an RA Operator certificate in my browser that I generated and
> > imported. I can view and verify this certificate in my broser and the
> > information is correct.
> > I am not restricting access to the page except that it must be SSL. The
> > paths to verify and sign are correct on both the CA and the RA servers, as
> > are the paths to openssl and all of the certificates. I even have ldap
> > working now if I do not require a certificate to enter the RAServer. I
> > have removed and reinstalled (without the rpm), openssl 0.9.6, openldap
> > 1.2.11 and the RAServer, of which I am using the 20001121 Snap. Everthing
> > else works great... and I am baffled... Could anyone answer this?
> >
> > Regards,
> > Jon Groce
> > Service & Network Operations
> > Concert Integrated Security Services (CISS)
> > [EMAIL PROTECTED]
> > voice +1 770.333.4629
> > fax +1 770.333.4899
> >
>
_________________________________________________________________
OpenCA - Users Support Mailing List [EMAIL PROTECTED]
