httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Tangren <...@aa.usno.navy.mil>
Subject Re: [users@httpd] apache client authentication problem (somewhat long)
Date Tue, 28 Nov 2006 21:33:49 GMT
Serge Dubrouski wrote:
> Your client submits certificate signed by CA which certificate you
> don't have in your SSLCACertificatePath. Actually it looks like you
> incorrectly configured it. You have:
> 
> SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt
> SSLCACertificatePath /etc/httpd/conf/ssl.crt
> 
> You should use just one of those options. If you use
> SSLCACertificateFile your file (stacked pem) should have certificates
> for all CA that issue certificates for you clients. If you use
> SSLCACertificatePath place all certs into that directory and create
> links like it's described here:
> 
> http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html

> 
> 
> 


OK, I've read that. I may be stuck on this line:

1: # Make sure the new CA certificate is in PEM format.

The CA's I obtained from a very user-hostile web site. It listed each CA 
separately (like CA-12, CA-13, etc.), and allowed me to view the certificates, 
or download them. If you download them, I am given .cer files. If you view them, 
I am given a lot of text in between a -----BEGIN CERTIFICATE----- and an 
-----END CERTIFICATE-----, as well as the certificate contents in readable form. 
I don't know what .cer files are, except googling indicates they may be 
something that Microsoft uses, as MS has a utility that reads them, and will 
install the certificate. I copied each text certificate and concatenated them 
into a single root.crt file.

This link:

http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/sample-ca-cert.htm

seems to indicate that what I did was correct.

Also, removing the SSLCACertificatePath line in ssl.conf does not help.

I have an emailed copy of another servers root.crt file, from a site that has 
this working, and I STILL get these errors. I had copied his ssl.conf as well. 
He used both lines given above.

Thanks for responding.

Any other ideas?



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message