I am working with Apache 1.3.12, Open SSL 0.9.3, and
mod_SSL--2.6.3-1.3.12 . All software is installed on Solaris 2.8. I
have Netscape CMS 4.1 installed as well. The Netscape CMS is our root
CA and would like to have the Netscape CA issue our Apache Web Server
and Netscape Communicator certificates.
We were able to establish a one-way SSL channel only. The bad news here
is that we could only establish this channel with Apache being the
issuing authority. We could NOT get this to work with Netscape CA. We
received the error message "Missing or malformed KeyGen, PKCS10 or CRMF
request." This is the message we received when posting the cert request
to our Netscape Root CA.
Here's what is strange. We received the above error message for any
server certs we requested after the initial installation/configuration
of the Apache server. Part of the process for this initial install is
to go through the process of obtaining a temporary, bootstrap server
cert that is signed by self-signed cert that came bundled with the
product. Now, here's where the inconsistency comes. The Netscape CMS
is happy with the bootstrap server cert request! Yup, I can issue this
server cert only. I find this very strange. I parsed both the
bootstrap cert request and the other server cert requests to see if
there is a difference. I couldn't find one at all. This is very
frustrating.
We decided to try to use the bootstrap server cert to see if we could at
least do mutual authentication. We loaded the Netscape Root CA cert
into
Apache's trusted root database. We used tools provided with the server
to verify that the root CA cert was properly installed. It was. After
restarting the server in mutual authentication mode, we then attempted
to authenticate ourselves to the Web server and received the error
messages "certificate signature failure, ASN1_verify:bad get asn1 object
call, SSL3_GET
_CLIENT_CERTIFICATE:no certificate returned." We know that the server
properly queried the browser for a client cert as we configured the
browser to prompt us each and every time a cert is required.
So, we next added the subordinate CA cert (the issuer of our end entity
cert) to the trusted root database. We received the same error
messages.
Next, we removed the root and subordinate CAs from our trusted root
database. As expected, we received the error message indicating that it
couldn't locate the issuer in its trusted root database. From this, we
definitely know that it can locate the CA in its trusted root database.
The problem is that we don't know why it's failing to validate the CA's
cert.
Any help would be greatly appreciated.
Lorrayne Schaefer
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]