I am having a problem with client authentication getting client
certificates to work - Have installed the client certificate in internet explorer, this also
installs the server certificate as a 'trusted root certificate'. When access basic https area of website all works correctly, when
attempt to go into the area where SSLVerifyClient is required, the certificate
is prompted for. But when chosen get "The page cannot be displayed"
error. The error in the ssl_error_log is: [Fri Jan 09 11:37:48 2004] [error]
Re-negotiation handshake failed: Not accepted by client!? If certificates are viewed IE says that they are valid etc. I was after references to good HowTo's or any views on whether this is a
IE, modssl, Apache or just a certificates problem. Thanks in advance Our server is Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/6mdk)
mod_perl/1.99_09 Perl/v5.8.1 mod_ssl/2.0.47 OpenSSL/0.9.7b PHP/4.3.2! And clients are Internet Explorer IE6 and Opera 7.2 ***** SETUP CERTIFICATES AS FOLLOWS in directory /home/test/CA/: ***** CERTIFICATION AUTHORITY Generate New Certification Authority perl CA.pl
-newca (when prompted I set the CN name to the servers ip address) SERVER CERTIFICATE Generate new certificate request for SERVER (newreq.pem) perl CA.pl
-newreq (when prompted I set the CN name to the servers ip address) Sign it (generates newcert.pem) perl CA.pl
-sign Get Key from it openssl rsa
< newreq.pem > newkey.pem CLIENT CERTIFICATE Generate Unencrypted Key for CLIENT openssl genrsa
-out client_unsecure.key 1024 Generate new certificate request for CLIENT openssl req
-new -key client_unsecure.key -out client_unsecure.csr (when prompted I set the
CN name to the client ip address) Sign it openssl ca
-config /<somepath>/openssl.cnf -policy policy_anything -out
client_unsecure.crt -infiles client_unsecure.csr Create format for Internet Explorer openssl pkcs12
-export -in client_unsecure.crt -inkey client_unsecure.key -name "Client
Cert" -certfile ./demoCA/cacert.pem -out clientcert.p12 41_MOD_SSL.DEFAULT-VHOST.CONF SETTINGS AS FOLLOWS: DocumentRoot "/var/www/html/secure" ErrorLog logs/ssl_error_log <IfModule mod_log_config.c> TransferLog logs/ssl_access_log </IfModule> # SSL Engine Switch: # Enable/Disable SSL
for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers
that the client is permitted to negotiate. # See the mod_ssl
documentation for a complete list. SSLProtocol all SSLCipherSuite HIGH:MEDIUM # Server Certificate: SSLCertificateFile /home/test/CA/newcert.pem # Server Private Key: SSLCertificateKeyFile /home/test/CA/newkey.pem # Server Certificate
Chain: # Certificate
Authority (CA): SSLCACertificateFile /home/test/CA/demoCA/cacert.pem # Certificate
Revocation Lists (CRL): # Client
Authentication (Type): #SSLVerifyClient require #SSLVerifyDepth 10 <Location /audit>
SSLVerifyClient require
SSLVerifyDepth 1 </Location> |