On Tue March 24 2009, Kyle Hamilton wrote: > This is not an Apache support mailing list, and so these suggestions > are necessarily general in nature. > > Check to make sure that the PEM-encoded certificates in cachain.crt > are properly separated. If there's a single line that says "=====END > X509 CERTIFICATE==========BEGIN X509 CERTIFICATE=====", then it will > not be parsed correctly. > > Also, cachain.crt should only need to hold ROOTCA, not necessarily all 3. > > Plus, make sure that ROOTCA is currently valid, that CA1 is currently > valid, that CA2 is currently valid, and that client.crt is currently > valid; client.crt also needs to have extendedKeyUsage of > "clientAuthentication" and keyUsage of "encipherment" and "key > negotiation". >
Also check those "too obvious to mention" things - - Like is the time and date set properly on all machines. ;) Mike > For more information, please see RFC 3280 (for help decoding the > certificates and their semantics); openssl x509 -noout -text will be > your friend here (though you will need to split up cachain.crt into > its individual certificates to be able to print their properties. > > Good luck! > > -Kyle H > > On Tue, Mar 24, 2009 at 12:48 AM, prathima <prathima.gog...@polycom.com> > wrote: > > > > I am using Apache server for HTTPS connection with client. > > I had generated client certificate signed by an intermediate CA(CA1), which > > is further signed by an intermediate CA(CA2). CA2 is signed by a ROOTCA. > > I loaded chain of certificates on client excluding ROOTCA(i.e., > > clientcert+CA1+CA2). > > Configuration on Apache server: > > SSLCertificateFile server.crt > > SSLCertificateKeyFile server.key > > SSLCACertificateFile cachain.crt [i.e, ROOTCA+CA1+CA2] > > SSLVerifyClient require > > SSLVerifyDepth 3 > > > > With the above setup, server terminated MutualTLS connection saying: > > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > > > > Could someone help me in solving the above problem? > > > > > > > > > > > > > > -- > > View this message in context: > > http://www.nabble.com/Apache-server-says-unknown-ca-when-clientcertificate-chain-is-sent-to-server-tp22675508p22675508.html > > Sent from the OpenSSL - User mailing list archive at Nabble.com. > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-us...@openssl.org > > Automated List Manager majord...@openssl.org > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
