How do I make a root CA known to apache but not valid for client authentication? (apache1.3.17,modssl2.8,openssl0.9.6) I've got a three tier cert hierarchy like: root ca --signs--> project ca --signs--> server/client certs The problem is that unless I place the root ca in SSLCACertificateFile or SSLCACertificatePath apache complains about not being able to locate the local issuer. If I place the root in either of these apache allows server/client certs that were signed directly by the root ca to access the server (when I only want to allow certs signed by the project ca) I would think that one should only need SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile (containing the project ca and root ca), SSLCACertificateFile (containing just the project ca), SSLVerifyClient require, and SSLVerifyDepth 2. These settings do not work as advertised. Only the project CA is loaded startup (looking at the ssl_engine_log) and when attempting to do a client connection, apache says it can't find the local issuer (this would seem to be the root ca, which IS IN the chain!! isnt that enough?). If I add the root ca to the SSLCACertificateFile or SSLCACertificatePath apache allows clients signed by the root CA access. Does apache not support three tier certificate hierarchies? Any other things I should try? I know that the last two paragraphs basically restated the same issue but hopefully one of them will be clear enough for someone to understand. If you can believe it, we've been toying with this for 3 months now and I fear this is going to reflect badly on the use of opensource software within the company. The vendor who manages our certificates is finger pointing at apache and its driving me insane. I've been using apache since its first year of existance and I can't imagine being stuck using commercial implementations (which don't work AT ALL) here for the rest of my days just because of a lack of documentation :(. Any help would be greatly appreciated. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
