On Tue March 24 2009, prathima wrote: > > Time and Date are set correctly on both server as well as client >
No insult was intended, but such things do happen even to the most expert. ;) Mike > > > Michael S. Zick-4 wrote: > > > > On Tue March 24 2009, Kyle Hamilton wrote: > >> This is not an Apache support mailing list, and so these suggestions > >> are necessarily general in nature. > >> > >> Check to make sure that the PEM-encoded certificates in cachain.crt > >> are properly separated. If there's a single line that says "=====END > >> X509 CERTIFICATE==========BEGIN X509 CERTIFICATE=====", then it will > >> not be parsed correctly. > >> > >> Also, cachain.crt should only need to hold ROOTCA, not necessarily all 3. > >> > >> Plus, make sure that ROOTCA is currently valid, that CA1 is currently > >> valid, that CA2 is currently valid, and that client.crt is currently > >> valid; client.crt also needs to have extendedKeyUsage of > >> "clientAuthentication" and keyUsage of "encipherment" and "key > >> negotiation". > >> > > > > Also check those "too obvious to mention" things - - > > Like is the time and date set properly on all machines. ;) > > > > Mike > > > >> For more information, please see RFC 3280 (for help decoding the > >> certificates and their semantics); openssl x509 -noout -text will be > >> your friend here (though you will need to split up cachain.crt into > >> its individual certificates to be able to print their properties. > >> > >> Good luck! > >> > >> -Kyle H > >> > >> On Tue, Mar 24, 2009 at 12:48 AM, prathima <prathima.gog...@polycom.com> > >> wrote: > >> > > >> > I am using Apache server for HTTPS connection with client. > >> > I had generated client certificate signed by an intermediate CA(CA1), > >> which > >> > is further signed by an intermediate CA(CA2). CA2 is signed by a > >> ROOTCA. > >> > I loaded chain of certificates on client excluding ROOTCA(i.e., > >> > clientcert+CA1+CA2). > >> > Configuration on Apache server: > >> > SSLCertificateFile server.crt > >> > SSLCertificateKeyFile server.key > >> > SSLCACertificateFile cachain.crt [i.e, ROOTCA+CA1+CA2] > >> > SSLVerifyClient require > >> > SSLVerifyDepth 3 > >> > > >> > With the above setup, server terminated MutualTLS connection saying: > >> > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > >> > > >> > Could someone help me in solving the above problem? > >> > > >> > > >> > > >> > > >> > > >> > > >> > -- > >> > View this message in context: > >> http://www.nabble.com/Apache-server-says-unknown-ca-when-clientcertificate-chain-is-sent-to-server-tp22675508p22675508.html > >> > Sent from the OpenSSL - User mailing list archive at Nabble.com. > >> > > >> > ______________________________________________________________________ > >> > OpenSSL Project http://www.openssl.org > >> > User Support Mailing List openssl-us...@openssl.org > >> > Automated List Manager majord...@openssl.org > >> > > >> ______________________________________________________________________ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing List openssl-users@openssl.org > >> Automated List Manager majord...@openssl.org > >> > >> > > > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
