No hits on this thread yes, so I am replying to myself with more information...
I am creating the cachain.pem with
cat wildcart.crt > cachain.pem
cat intmdtca.cer >> cachain.pem
cat rootca.cer >> cachain.pem
I have also tried it as
cat wildcart.crt > cachain.pem
cat cabundle.pem >> cachain.pem
I am creating the cachain.crl with the below script:
#!/bin/sh
openssl_conf=/etc/pki/tls/openssl.cnf
chaincrl=/etc/httpd/conf/ssl/cachain.crl
crlpath=/etc/httpd/conf/ssl/CRLs
crlders=/etc/httpd/conf/ssl/DER_CRLs
INPUT=<crls.txt
IFS="
"
rm ${crlpath}/*
rm ${crlders}/*
rm ${chaincrl}
for line in $(cat
< crls.txt); do
crlname=`echo
${line} | awk '{print $1}'`
crlurl=`echo
${line} | awk '{print $2}'` wget
"${crlurl}/${crlname}" --no-check-certificate -O
"${crlders}/${crlname}"
openssl crl
-inform DER -in "${crlders}/${crlname}" -outform PEM -out
"${crlpath}/${crlname}"
cat
"${crlpath}/${crlname}" >> ${chaincrl}
done
Anyone have any suggestions?
> ----- Original Message -----
> From: Jim Jones <[email protected]>
> To: "[email protected]" <[email protected]>
> Cc:
> Sent: Wednesday, March 13, 2013 11:47 AM
> Subject: [users@httpd] Trouble authenticating IE users with client
> certificates
>
> Hi all,
> I am having a problem getting Apache to allow access to IE 6/7/8/9 users
> with client certificates installed to access restricted resources. I have
> several servers (Windows and Linux) running various versions of Apache from
> 2.0 through 2.4, all behave the same way. I am simply unable to get client
> certificates to authenticate IE users. Please do let me know if anymore
> information is needed, including how I built the CAchain, CRLs, etc.
>
>
> Note that using the same client certs from Firefox works just fine,
> users can successfully authenticate to the resource and get content.
>
> Thank you!
> Jim
>
> ##### ssl.conf
> SSLEngine on
> SSLProtocol all -SSLv2
> SSLCipherSuite HIGH:MEDIUM
> SSLCertificateFile /etc/pki/tls/certs/wildcard.crt
> SSLCertificateKeyFile /etc/pki/tls/private/21wildcard.key
> SSLCertificateChainFile /etc/httpd/conf/ssl/cachain.pem
> SSLCACertificateFile /etc/httpd/conf/ssl/rootca.cer
> SSLCADNRequestFile /etc/httpd/conf/ssl/cachain.pem
> SSLCARevocationFile /etc/httpd/conf/ssl/cachain.crl
> SSLVerifyClient none
> SSLInsecureRenegotiation on
> CustomLog "/etc/httpd/logs/extended_ssl_request.log" "%t %h
> %{SSL_CLIENT_VERIFY}x %{SSL_CLIENT_I_DN_CN}x %{SSL_CLIENT_S_DN}x \"%r\" %b"
> <Location /foo/>
> SSLVerifyClient optional
> RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
> RewriteRule .* /var/www/error/HTTP_UNAUTHORIZED.html [L]
> SSLVerifyDepth 10
> SSLOptions +ExportCertData +StdEnvVars +OptRenegotiate +FakeBasicAuth
> SSLRequireSSL
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
> #SSLRequire ( %{SSL_CLIENT_S_DN_CN} eq "Biggs, \Mike" \
> # or %{SSL_CLIENT_S_DN_emailAddress} eq "[email protected]" )
> \
> # and %{SSL_CLIENT_I_DN_CN} in {"nypd\-ca\-1", "nypd\-ca\-2",
> "nypd\-ca\-3"}
> </Location>
>
> #### extended_ssl_request.log
> [13/Mar/2013:12:03:09 -0400] x.x.x.x NONE - - "GET / HTTP/1.0" 768
> [13/Mar/2013:12:03:09 -0400] x.x.x.x NONE - - "GET /icons/blank.gif HTTP/1.0"
> 148
> [13/Mar/2013:12:03:09 -0400] x.x.x.x NONE - - "GET /icons/unknown.gif
> HTTP/1.0" 245
> [13/Mar/2013:12:03:21 -0400] x.x.x.x NONE - - "GET /foo/bar HTTP/1.0" -
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
