Hi Kyle, CA certificate chain is parsed properly. I also tried using only RootCA(excluding intermediate CA's). Even with this I am getting the same error. Could you please explain this: client.crt also needs to have extendedKeyUsage of "clientAuthentication" and keyUsage of "encipherment" and "key negotiation"
Prathima wolfoftheair wrote: > > This is not an Apache support mailing list, and so these suggestions > are necessarily general in nature. > > Check to make sure that the PEM-encoded certificates in cachain.crt > are properly separated. If there's a single line that says "=====END > X509 CERTIFICATE==========BEGIN X509 CERTIFICATE=====", then it will > not be parsed correctly. > > Also, cachain.crt should only need to hold ROOTCA, not necessarily all 3. > > Plus, make sure that ROOTCA is currently valid, that CA1 is currently > valid, that CA2 is currently valid, and that client.crt is currently > valid; client.crt also needs to have extendedKeyUsage of > "clientAuthentication" and keyUsage of "encipherment" and "key > negotiation". > > For more information, please see RFC 3280 (for help decoding the > certificates and their semantics); openssl x509 -noout -text will be > your friend here (though you will need to split up cachain.crt into > its individual certificates to be able to print their properties. > > Good luck! > > -Kyle H > > On Tue, Mar 24, 2009 at 12:48 AM, prathima <prathima.gog...@polycom.com> > wrote: >> >> I am using Apache server for HTTPS connection with client. >> I had generated client certificate signed by an intermediate CA(CA1), >> which >> is further signed by an intermediate CA(CA2). CA2 is signed by a ROOTCA. >> I loaded chain of certificates on client excluding ROOTCA(i.e., >> clientcert+CA1+CA2). >> Configuration on Apache server: >> SSLCertificateFile server.crt >> SSLCertificateKeyFile server.key >> SSLCACertificateFile cachain.crt [i.e, ROOTCA+CA1+CA2] >> SSLVerifyClient require >> SSLVerifyDepth 3 >> >> With the above setup, server terminated MutualTLS connection saying: >> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca >> >> Could someone help me in solving the above problem? >> >> >> >> >> >> >> -- >> View this message in context: >> http://www.nabble.com/Apache-server-says-unknown-ca-when-clientcertificate-chain-is-sent-to-server-tp22675508p22675508.html >> Sent from the OpenSSL - User mailing list archive at Nabble.com. >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://www.nabble.com/Apache-server-says-unknown-ca-when-clientcertificate-chain-is-sent-to-server-tp22675508p22681903.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
