I don't see this as an Apache issue. The site has required client certs for years now and Apache was configured to require client certificates.
I have intermediate DOD certs on the server but OpenSSL sees my DoD Root certificate as un-trusted self-signed so the chain is broken. From http://www.openssl.org/support/faq.html: " 5. Why does <SSL program> fail with a certificate verify error? This problem is usually indicated by log messages saying something like "unable to get local issuer certificate" or "self signed certificate". When a certificate is verified its root CA must be "trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues similar error messages: check the verify(1) program manual page for more information." How can I get OpenSSL to "trust" my DOD root certificate? Curtis -----Original Message----- From: Bernhard Fröhlich [mailto:t...@convey.de] Sent: Thursday, April 26, 2012 09:39 To: openssl-users@openssl.org; Tammany, Curtis Subject: Re: How to trust a 'root' certificate Am 26.04.2012 15:15, schrieb Tammany, Curtis: > Hello- > > I am running Apache 2.2.22 with OpenSSL 1.0.1 on Windows (XP for dev and > server 2003 for production) > > The site requires client (CAC) certificates. > > I am getting "FAILED:unable to get local issuer certificate" errors in my > log file from Windows 7 clients. Digging suggested that I check the > intermediate certificates that I have on the server with the openssl verify > command which returned "error 18 at 0 depth lookup:self signed certificate" > > Running openssl version -d returns "OPENSSLDIR: "c:/openssl-1.0.1/ssl". That > folder does not exist on my servers. > > I think I need to get OpenSSL to trust the self signed certificate. What > steps do I take? > > Thank you. This is an Apache question and is only loosely connected to OpenSSL. I'll take the liberty to forward you to CAcert.org's WiKi which has a page explaining on how to configure Apache for client certificates at http://wiki.cacert.org/ApacheServerClientCertificateAuthentication It may not be exactly what you need but might give you the right ideas. Otherwise Apache's support groups may be able to help you in more detail. I hope this helps a bit, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
