Hello,
So can you confirm that entering Tools-Internet
Options-Content-Certificates shows Personal certs, and that if you
View them it states there's a private key associated with that cert?
And then confirm that the CA that signed that cert is one trusted by
Apache via SSLCACertificateFile or SSLCACertificatePath (those should
point to copies of the CA public keys - not the same cert that is on the
client. I can't figure out from your mail if you've already worked that
out, so sorry if that's pointing out the bleeding obvious ;-)
Yes, I have a Verisign Class 1 personal certificate.
It stats that:
You have a private key that corresponds to this certificate.
I asked versign for the certificate that signed my cert and they sent it to
me. It was base64, I converted to what appears to be a PEM format. I have
this file (verisign.pem) as my SSLCACertificateFile and manually created the
hash link to it.
So right now I have this included within this servers virtualhost:
# Config for the Client Side Certificates
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /export/CA/certs/verisign.pem
SSLCACertificatePath /export/CA/certs
SSLProtocol ALL
SSLCipherSuite ALL
Location /
SSLRequire %{REMOTE_ADDR} =~ m/^x\.x\.x\.[0-9]+$/
/Location
/VirtualHost
And the certs dir has 1 link and 1 file:
lrwxrwxrwx 1 root other 12 Nov 2 10:57 c19d42c7.0 -
verisign.pem
-rw-r--r-- 1 root other 3028 Nov 2 10:49 verisign.pem
That's what SSLCACertificateFile or SSLCACertificatePath is about. You
can use that to restrict what client certs you support down to just
those signed by those CAs. To further restrict to a subselection, see
mod_ssl documentation for SSLRequire - e.g.
SSLRequire %{SSL_CLIENT_S_DN_O} eq Snake Oil, Ltd. \
and %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev}
I see. Thanks for the tip.
To keep this simple I am using SSLRequire and check for my IP..
I continue to get the blank pop-up window that asks me to select a cert.
I rebooted my laptop for good measure.
The same error appears in my apache error log.
[Wed Nov 2 11:20:17 2005] [error] mod_ssl: SSL handshake failed (server
ice.choiceonecom.com:443, client 216.153.201.171) (OpenSSL library error
follows)
[Wed Nov 2 11:20:17 2005] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]
Is my verisign.pem in the wrong format?
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
39:ca:54:89:fe:50:22:32:fe:32:d9:db:fb:1b:84:19
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary
Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized
use only, OU=VeriSign Trust Network
Validity
Not Before: May 18 00:00:00 1998 GMT
Not After : May 18 23:59:59 2018 GMT
Subject: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary
Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized
use only, OU=VeriSign Trust Network
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:aa:d0:ba:be:16:2d:b8:83:d4:ca:d2:0f:bc:76:
31:ca:94:d8:1d:93:8c:56:02:bc:d9:6f:1a:6f:52:
36:6e:75:56:0a:55:d3:df:43:87:21:11:65:8a:7e:
8f:bd:21:de:6b:32:3f:1b:84:34:95:05:9d:41:35:
eb:92:eb:96:dd:aa:59:3f:01:53:6d:99:4f:ed:e5:
e2:2a:5a:90:c1:b9:c4:a6:15:cf:c8:45:eb:a6:5d:
8e:9c:3e:f0:64:24:76:a5:cd:ab:1a:6f:b6:d8:7b:
51:61:6e:a6:7f:87:c8:e2:b7:e5:34:dc:41:88:ea:
09:40:be:73:92:3d:6b:e7:75
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
8b:f7:1a:10:ce:76:5c:07:ab:83:99:dc:17:80:6f:34:39:5d:
98:3e:6b:72:2c:e1:c7:a2:7b:40:29:b9:78:88:ba:4c:c5:a3:
6a:5e:9e:6e:7b:e3:f2:02:41:0c:66:be:ad:fb:ae:a2:14:ce:
92:f3:a2:34:8b:b4:b2:b6:24:f2:e5:d5:e0:c8:e5:62:6d:84:
7b:cb:be:bb:03:8b:7c:57:ca:f0:37:a9:90:af:8a:ee:03:be:
1d:28:9c:d9:26:76:a0:cd:c4:9d:4e:f0:ae:07:16:d5:be:af:
57:08:6a:d0:a0:42:42:42:1e:f4:20:cc:a5:78:82:95:26:38:
8a:47
-BEGIN CERTIFICATE-
MIIDAjCCAmsCEDnKVIn+UCIy/jLZ2/sbhBkwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
c3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
DTk4MDUxODAwMDAwMFoXDTE4MDUxODIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMSBQdWJsaWMg