Hello I’m having some difficulty with
getting a particular CA certificate to work for Client Authentication in
Apache. I’m hoping someone can help with this. I have OpenSSL version 0.9.7g installed on
the machine. When it gets to the part where it tries to
authenticate the certificate, I get “Verification:
Error (34): unhandl ed critical extension” I’ve done some searching on this error, and haven’t
found anything relevant. Using openssl
with the verify directive it returns: openssl verify -verbose
-CAfile C:\certs\safert.cer c:\certs\safeca.cer c:\certs\safeca.cer:
/C=US/O=Cybertrust/OU=Certification Authorities/CN=Cybertrust SAFE Issuer TEST Looking at the certificate there are only
three extensions marked critical, keyUsage, Basic constraints, and policy
constraints. Key Usage looks normal, with just cert signing, CRL signing and
offline CRL signing, Basic Constraints also looks ok, with Subject type CA and
no Path length constraint. I’m not as sure about Policy
Constraints, IT has both Required Explicit Policy and Inhibit Policy
Mapping set to 0. I have very little experience with this
extensions so I’m not sure if this is ok or not. Does anyone have any experience with this
problem? Does anyone have any good suggestions or comments about how to
proceed? Thanks, Eriks Richters, CISSP CA Senior Security Consultant tel: +1 410-696-9707 Here is the Apache Log from the attempt to
authenticate: [Mon Jul 24 11:51:34 2006]
[debug] ssl_engine_kernel.c(1214): > Certificate Verifi > cation: depth: 1,
subject: /C=US/O=Cybertrust/OU=Certification > Authorities/CN=Cy
bertrust SAFE Issuer TEST >
/C=US/O=Cybertrust/OU=Certification Au thorities/CN=Cybertrust SAFE > Issuer TEST > Verification: Error
(34): unhandl ed critical extension [Mon Jul 24 > 11:51:34 2006] [debug]
ssl_engine_kernel.c(1794): OpenSSL: Write: SS > Lv3 read client
certificate B > [Mon Jul 24 11:51:34
2006] [debug] ssl_engine_kernel.c(1813): OpenSSL: > Exit: err or in SSLv3
read client certificate B [Mon Jul 24 11:51:34 > 2006] [debug]
ssl_engine_kernel.c(1813): OpenSSL: Exit: err or in > SSLv3 read client
certificate B [Mon Jul 24 11:51:34 2006] [info] SSL > library error 1 in
handshake (server certr r.myngc.com:443, client > 172.18.36.102) [Mon Jul
24 11:51:34 2006] [info] SSL Library Error: > 336105650
error:140890B2:SS L routines:SSL3_GET_CLIENT_CERTIFICATE:no > certificate returned |