Hello

I’m having some difficulty with getting a particular CA certificate to work for Client Authentication in Apache.  I’m hoping someone can help with this.

I have OpenSSL version 0.9.7g installed on the machine.

When it gets to the part where it tries to authenticate the certificate, I get “Verification: Error (34): unhandl ed critical extension”  I’ve done some searching on this error, and haven’t found anything relevant.

Using openssl with the verify directive it returns:

openssl verify -verbose -CAfile C:\certs\safert.cer c:\certs\safeca.cer

c:\certs\safeca.cer: /C=US/O=Cybertrust/OU=Certification Authorities/CN=Cybertrust SAFE Issuer TEST Sub CA error 34 at 0 depth lookup:unhandled critical extension OK

Looking at the certificate there are only three extensions marked critical, keyUsage, Basic constraints, and policy constraints.  Key Usage looks normal, with just cert signing, CRL signing and offline CRL signing, Basic Constraints also looks ok, with Subject type CA and no Path length constraint. 

I’m not as sure about Policy Constraints,  IT has both Required Explicit Policy and Inhibit Policy Mapping set to 0.    I have very little experience with this extensions so I’m not sure if this is ok or not.

Does anyone have any experience with this problem? Does anyone have any good suggestions or comments about how to proceed?

Thanks,

 

Eriks Richters, CISSP

CA

Senior Security Consultant

tel: +1 410-696-9707
mobile: +1 410-698-2867
[EMAIL PROTECTED]

 

Here is the Apache Log from the attempt to authenticate:

[Mon Jul 24 11:51:34 2006] [debug] ssl_engine_kernel.c(1214):

> Certificate Verifi

> cation: depth: 1, subject: /C=US/O=Cybertrust/OU=Certification

> Authorities/CN=Cy bertrust SAFE Issuer TEST Sub CA, issuer:

> /C=US/O=Cybertrust/OU=Certification Au thorities/CN=Cybertrust SAFE

> Issuer TEST Root CA [Mon Jul 24 11:51:34 2006] [error] Certificate

> Verification: Error (34): unhandl ed critical extension [Mon Jul 24

> 11:51:34 2006] [debug] ssl_engine_kernel.c(1794): OpenSSL: Write: SS

> Lv3 read client certificate B

> [Mon Jul 24 11:51:34 2006] [debug] ssl_engine_kernel.c(1813): OpenSSL:

> Exit: err or in SSLv3 read client certificate B [Mon Jul 24 11:51:34

> 2006] [debug] ssl_engine_kernel.c(1813): OpenSSL: Exit: err or in

> SSLv3 read client certificate B [Mon Jul 24 11:51:34 2006] [info] SSL

> library error 1 in handshake (server certr r.myngc.com:443, client

> 172.18.36.102) [Mon Jul 24 11:51:34 2006] [info] SSL Library Error:

> 336105650 error:140890B2:SS L routines:SSL3_GET_CLIENT_CERTIFICATE:no

> certificate returned

 

Reply via email to