Time and Date are set correctly on both server as well as client
Michael S. Zick-4 wrote: > > On Tue March 24 2009, Kyle Hamilton wrote: >> This is not an Apache support mailing list, and so these suggestions >> are necessarily general in nature. >> >> Check to make sure that the PEM-encoded certificates in cachain.crt >> are properly separated. If there's a single line that says "=====END >> X509 CERTIFICATE==========BEGIN X509 CERTIFICATE=====", then it will >> not be parsed correctly. >> >> Also, cachain.crt should only need to hold ROOTCA, not necessarily all 3. >> >> Plus, make sure that ROOTCA is currently valid, that CA1 is currently >> valid, that CA2 is currently valid, and that client.crt is currently >> valid; client.crt also needs to have extendedKeyUsage of >> "clientAuthentication" and keyUsage of "encipherment" and "key >> negotiation". >> > > Also check those "too obvious to mention" things - - > Like is the time and date set properly on all machines. ;) > > Mike > >> For more information, please see RFC 3280 (for help decoding the >> certificates and their semantics); openssl x509 -noout -text will be >> your friend here (though you will need to split up cachain.crt into >> its individual certificates to be able to print their properties. >> >> Good luck! >> >> -Kyle H >> >> On Tue, Mar 24, 2009 at 12:48 AM, prathima <prathima.gog...@polycom.com> >> wrote: >> > >> > I am using Apache server for HTTPS connection with client. >> > I had generated client certificate signed by an intermediate CA(CA1), >> which >> > is further signed by an intermediate CA(CA2). CA2 is signed by a >> ROOTCA. >> > I loaded chain of certificates on client excluding ROOTCA(i.e., >> > clientcert+CA1+CA2). >> > Configuration on Apache server: >> > SSLCertificateFile server.crt >> > SSLCertificateKeyFile server.key >> > SSLCACertificateFile cachain.crt [i.e, ROOTCA+CA1+CA2] >> > SSLVerifyClient require >> > SSLVerifyDepth 3 >> > >> > With the above setup, server terminated MutualTLS connection saying: >> > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca >> > >> > Could someone help me in solving the above problem? >> > >> > >> > >> > >> > >> > >> > -- >> > View this message in context: >> http://www.nabble.com/Apache-server-says-unknown-ca-when-clientcertificate-chain-is-sent-to-server-tp22675508p22675508.html >> > Sent from the OpenSSL - User mailing list archive at Nabble.com. >> > >> > ______________________________________________________________________ >> > OpenSSL Project http://www.openssl.org >> > User Support Mailing List openssl-us...@openssl.org >> > Automated List Manager majord...@openssl.org >> > >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> >> > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://www.nabble.com/Apache-server-says-unknown-ca-when-clientcertificate-chain-is-sent-to-server-tp22675508p22681942.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
