Hi, If you want to trust a sub CA than you have to trust it's Root. I.e. when you trust a Client certificate issued by a SubCA, you trust the sub CA which automatically means you trust all certificates issued directly of the Root. Obviously you do not automatically trust all the certificates issued by other SubCAs of the same root. The options SSLCACertificateFile and the like refer to client certificates, the SSLCertificateFile and the like to certificates for the server. I believe there is no connection between them, i.e. the Server can trust a commercial CA for the server certificate but does not trust it to issue client certificates. I have not tried this though. There are two solution for your scenario. 1) You use two CA's. I.e. you buy from a commercial CA a server certificate for your server and you run your own CA (or have it hosted by a provider) to issue client certificates of your own private root. Of course you can have your own private SubCA under your private root. 2) You use DN information of the client certificate to figure out whether to allow them access to your server. For this to work you have to trust the Root never to produce a certificate with that same information. It seems to be possible to use the issuers information of the client certificate for this too. Have a look at the HowTo: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9 SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and \ %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} It should be possible to use SSL_CLIENT_I_DN_O eq "Mastercard" Hope this helps, Jens The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. This message and any attachments have been scanned for viruses. Baltimore Technologies plc will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 20, 2001 9:42 AM To: [EMAIL PROTECTED] Subject: 3tier certificate + client authentication doesn't seem to work. (newest apache/modperl/openssl) How do I make the root CA known to apache but not valid for client authentication? (only the sub root CA that signed the server/client should be valid. (apache1.3.17,modssl2.8,openssl0.9.6) I've got a three tier cert hierarchy like: root ca --signs--> project ca --signs--> server/client certs The problem is that unless I place the root ca in SSLCACertificateFile or SSLCACertificatePath apache complains about not being able to locate the local issuer. If I place the root in either of these apache allows server/client certs that were signed directly by the root ca to access the server (when I only want to allow certs signed by the project ca) I would think that one should only need SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile (containing the project ca and root ca), SSLCACertificateFile (containing just the project ca), SSLVerifyClient require, and SSLVerifyDepth 2. These settings do not work as advertised. Only the project CA is loaded startup (looking at the ssl_engine_log) and when attempting to do a client connection, apache says it can't find the local issuer (this would seem to be the root ca, which IS IN the chain!! isnt that enough?). If I add the root ca to the SSLCACertificateFile or SSLCACertificatePath apache allows clients signed by the root CA access. Does apache not support three tier certificate hierarchies? Any other things I should try? I know that the last two paragraphs basically restated the same issue but hopefully one of them will be clear enough for someone to understand. -Matthew Lenz ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This footnote confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
