Since your problem is 'client certificates not available', you should set SSLVerifyClient to 'optional' This will let the server to continue the handshake even if the client does not have a certificate.
- Padma --- Golub Heath <[EMAIL PROTECTED]> wrote: > Sorry in advance but I am fairly new to OpenSSL and > though I have read a lot > .. .I just can't seem to get it right. Any help, > even direction pointing > (eg. a URL) would be greatly appreciative. > > Problem: client certificates not available during > SSL handshake > > Description: I have a server certificate that was > issued by an intermediate > CA (DOD Class 3 CA-3) that was issued by the DOD > Root CA (DoD CLASS 3 Root > CA). Some DoD issued certificates (eg. those issued > by the intermediate CA, > DOD Class 3 CA-5) work correctly, but those issued > by DoD Class 3 CA-8 do > not work. > > I think what I really just need to figure out is > which certificates should > go in my ca-bundle.crt file and which certificates > should go in the > intermediate-ca.crt file. > (Should all intermediate CA certificates be added > to the intermediate > file?) > > Steps Taken (where did I go wrong?): > 1. I downloaded the DOD Root Certificates and > installed them for IE. > > -http://www.onr.navy.mil/resources/instructions.asp > 2. Using the certificate manager (mmc) in Windows > 2000, I selected my > subordinate and root CAs and exported them to pkcs7 > format (ended up with 2 > files, 5 certs in the root ca file , 18 certs in the > subordinate list). > 3. I ran openssl pkcs7 command to extract the certs > into text format. > openssl pkcs7 -inform DER -outform PEM -in > DoDRoot.p7b -out > DoDRoot-ca.crt -print_certs -text > openssl pkcs7 -inform DER -outform PEM -in > DoDSub.p7b -out > DoDSub-ca.crt -print_certs -text > 4. Copied the files to my apache server > 5. In httpd.conf > SSLCertificateChainFile > conf\ssl.crt\DoDSub-ca.crt > SSLCACertificateFile conf\ssl.crt\DoDRoot-ca.crt > SSLVerifyClient require > SSLVerifyDepth 2 > > I have also tried the certificates with just the DOD > Class 3 CA-3 in the > DoDSub-ca and all the rest in the DoDRoot-ca files. > Any advice? > > Thanks in advance, Heath Golub > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
