httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tina Exner <tex...@picturesafe.de>
Subject Re: [users@httpd] Export CACertificate to Tomcat
Date Thu, 05 Aug 2010 10:19:52 GMT

did nobody know a solution for this problem?


> hi all,
>
> we have a nexus multiid server for certificate authentication.
> i try to pass the client smartcard certificates from apache to tomcat 
> server.
> the tomcat talks to the nexus and the authentication take effect.
>
> when i try to export the client ca certificate to the tomcat server
>  i get the following errors:
>
> [Mon Aug 02 15:36:40 2010] [error] [client] Certificate Verification: 
> Error (20): unable to get local issuer certificate
> [Mon Aug 02 15:36:40 2010] [error] [client] Re-negotiation handshake 
> failed: Not accepted by client!?
>
> @Firefox:
> (Fehlercode: ssl_error_unknown_ca_alert)
>
>
> this is my ssl configuration:
>
> <IfModule ssl_module>
>           SSLVerifyClient none
>           SSLVerifyDepth 5
>
>           #SSLOptions +ExportCertData +StrictRequire +StdEnvVars 
> +FakeBasicAuth
>           SSLOptions +ExportCertData
>
>           #SSLCACertificateFile conf/ssl/Certificate.cer
>
> </IfModule>
>
> <Location /nexus>
>                 SSLVerifyClient         require
>                 SSLVerifyDepth          5
>
>                 #SSLCACertificateFile    
> /ps/apache2.2/testsystem1/conf/ssl/Certificate.crt
>                 #SSLOptions             +ExportCertData +StrictRequire 
> +StdEnvVars +FakeBasicAuth
>                 SSLOptions              +ExportCertData +StdEnvVars
>                 #SSLRequireSSL
> </Location>
>
>
> my jk.conf:
>
>   JkExtractSSL          On
>   JkHTTPSIndicator      HTTPS
>   JkSESSIONIndicator    SSL_SESSION_ID
>   JkCIPHERIndicator     SSL_CIPHER
>   JkCERTSIndicator      SSL_CLIENT_CERT
>   JkEnvVar              SSL_CLIENT_CERT SSL_CLIENT_CERT
>   JkOptions             +ForwardSSLCertChain
>
>
> i use apache 2.2.13-3 and openssl 0.9.8a.
>
> Any hints on what might have gone wrong will be highly useful.
>
> regards
> Tin
>

Mime
View raw message