Re: Apache server says unknown ca when clientcertificate chain is sent to server

Mon, 30 Mar 2009 02:08:08 -0700 

Hi Patrick:

1.Only the root CA has the extension "Basic Constraints: CA:True"
Intermediate CA dont have fieldsBasic Constraints.
Could yo please help me in generating Intermediate CA certificate having
fields"Basic Constraints: CA:True"?

2.Issuer/Subject fields of CA certificate chain are correct.

3. What are AKI/SKI fields of chain?

I am attaching ca chain certificate that I am using.


Patrick Patterson-3 wrote:
> 
> Hello Prathima:
> 
> On March 24, 2009 10:40:47 am prathima wrote:
>> Hi Kyle,
>>
>> CA certificate chain is parsed properly. I also tried using only
>> RootCA(excluding intermediate CA's). Even with this I am getting the same
>> error.
>> Could you please explain this:
>> client.crt also needs to have extendedKeyUsage of
>> "clientAuthentication" and keyUsage of "encipherment" and "key
>> negotiation"
>>
> A couple of things to take a look at:
> 
> 1: Do all of the CA Certificates have the extension "Basic Constraints: 
> CA:True"?
> 
> 2: Do the Issuer/Subject fields of the CA certificates chain correctly?
> 
> 3: Do the AKI/SKI fields of the CA certificates chain correctly?
> 
> What happens when you do:
> 
> openssl verify -CAFile cachain.crt -verbose client-cert.pem?
> 
> Can you post the cachain.crt file?
> 
> Have fun.
> 
> -- 
> Patrick Patterson
> President and Chief PKI Architect,
> Carillon Information Security Inc.
> http://www.carillon.ca
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
> 
> 
http://www.nabble.com/file/p22778957/cachain.crt cachain.crt 
-- 
View this message in context: 
http://www.nabble.com/Apache-server-says-unknown-ca-when-clientcertificate-chain-is-sent-to-server-tp22675508p22778957.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to