Re: Apache server says unknown ca when clientcertificate chain is sent to server

Tue, 24 Mar 2009 01:16:00 -0700 

This is not an Apache support mailing list, and so these suggestions
are necessarily general in nature.

Check to make sure that the PEM-encoded certificates in cachain.crt
are properly separated.  If there's a single line that says "=====END
X509 CERTIFICATE==========BEGIN X509 CERTIFICATE=====", then it will
not be parsed correctly.

Also, cachain.crt should only need to hold ROOTCA, not necessarily all 3.

Plus, make sure that ROOTCA is currently valid, that CA1 is currently
valid, that CA2 is currently valid, and that client.crt is currently
valid; client.crt also needs to have extendedKeyUsage of
"clientAuthentication" and keyUsage of "encipherment" and "key
negotiation".

For more information, please see RFC 3280 (for help decoding the
certificates and their semantics); openssl x509 -noout -text will be
your friend here (though you will need to split up cachain.crt into
its individual certificates to be able to print their properties.

Good luck!

-Kyle H

On Tue, Mar 24, 2009 at 12:48 AM, prathima <prathima.gog...@polycom.com> wrote:
>
> I am using Apache server for HTTPS connection with client.
> I had generated client certificate signed by an intermediate CA(CA1), which
> is further signed by an intermediate CA(CA2). CA2 is signed by a ROOTCA.
> I  loaded chain of certificates on client excluding ROOTCA(i.e.,
> clientcert+CA1+CA2).
> Configuration on Apache server:
> SSLCertificateFile      server.crt
> SSLCertificateKeyFile   server.key
> SSLCACertificateFile    cachain.crt [i.e, ROOTCA+CA1+CA2]
> SSLVerifyClient         require
> SSLVerifyDepth          3
>
> With the above setup, server terminated MutualTLS connection saying:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>
> Could someone help me in solving the above problem?
>
>
>
>
>
>
> --
> View this message in context: 
> http://www.nabble.com/Apache-server-says-unknown-ca-when-clientcertificate-chain-is-sent-to-server-tp22675508p22675508.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-us...@openssl.org
> Automated List Manager                           majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to