httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Tangren <>
Subject Re: [users@httpd] apache client authentication problem (somewhat long)
Date Tue, 28 Nov 2006 21:33:49 GMT
Serge Dubrouski wrote:
> Your client submits certificate signed by CA which certificate you
> don't have in your SSLCACertificatePath. Actually it looks like you
> incorrectly configured it. You have:
> SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt
> SSLCACertificatePath /etc/httpd/conf/ssl.crt
> You should use just one of those options. If you use
> SSLCACertificateFile your file (stacked pem) should have certificates
> for all CA that issue certificates for you clients. If you use
> SSLCACertificatePath place all certs into that directory and create
> links like it's described here:


OK, I've read that. I may be stuck on this line:

1: # Make sure the new CA certificate is in PEM format.

The CA's I obtained from a very user-hostile web site. It listed each CA 
separately (like CA-12, CA-13, etc.), and allowed me to view the certificates, 
or download them. If you download them, I am given .cer files. If you view them, 
I am given a lot of text in between a -----BEGIN CERTIFICATE----- and an 
-----END CERTIFICATE-----, as well as the certificate contents in readable form. 
I don't know what .cer files are, except googling indicates they may be 
something that Microsoft uses, as MS has a utility that reads them, and will 
install the certificate. I copied each text certificate and concatenated them 
into a single root.crt file.

This link:

seems to indicate that what I did was correct.

Also, removing the SSLCACertificatePath line in ssl.conf does not help.

I have an emailed copy of another servers root.crt file, from a site that has 
this working, and I STILL get these errors. I had copied his ssl.conf as well. 
He used both lines given above.

Thanks for responding.

Any other ideas?

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message