Hi all. I have a problem with certificate chains in apache_1.3.19 with mod_ssl I have configure httpd.conf as follow: ********************************************************** httpd.conf: SSLCertificateFile /path/to/cert/server_certificate.pem SSLCertificateKeyFile /path/to/cert/server_key.pem SSLCACertificatePath /path/to/cert SSLCertificateChainFile /path/to/cert/cas_certificates.p7c (PEM format) SSLCACertificateFile /path/to/cert/subCA_certificate.pem SSLVerifyClient optional SSLVerifyDepth 3 *********************************************************** cas_certificates.p7c is a certificate chain contains two CAs, subCA at index 0 and rootCA at index 1 server_certificate.pem is signed by subCA subCA_certificate.pem contains the subCA certificate SSLCACertificatePath contains the cert directory with all certificates (I think it is optional) I can access througth a netscape browser because VerifyClient is optional. I want to access througth a Java servlet which want to retrieve the client certificate. When I try this I get the following exception: in /path/to/apache/logs/error.log: [Wed Jul 10 10:59:58 2002] [error] mod_ssl: Certificate Verification: Error (19): self signed certificate in certificate chain [Wed Jul 10 10:59:58 2002] [error] mod_ssl: SSL handshake failed (server bree.dif.um.es:443, client 155.54.95.12) (OpenSSL library error follows) [Wed Jul 10 10:59:58 2002] [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned in /path/to/apache/logs/ssl_engine: [10/Jul/2002 10:59:50 02548] [info] Server: Apache/1.3.19, Interface: mod_ssl/2.8.3, Library: OpenSSL/0.9.6c [10/Jul/2002 10:59:50 02548] [info] Init: 1st startup round (still not detached) [10/Jul/2002 10:59:50 02548] [info] Init: Initializing OpenSSL library [10/Jul/2002 10:59:50 02548] [info] Init: Loading certificate & private key of SSL-aware server bree.dif.um.es:443 [10/Jul/2002 10:59:50 02548] [info] Init: Seeding PRNG with 136 bytes of entropy [10/Jul/2002 10:59:50 02548] [info] Init: Generating temporary RSA private keys (512/1024 bits) [10/Jul/2002 10:59:50 02548] [info] Init: Configuring temporary DH parameters (512/1024 bits) [10/Jul/2002 10:59:50 02549] [info] Init: 2nd startup round (already detached) [10/Jul/2002 10:59:50 02549] [info] Init: Reinitializing OpenSSL library [10/Jul/2002 10:59:50 02549] [info] Init: Seeding PRNG with 136 bytes of entropy [10/Jul/2002 10:59:50 02549] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [10/Jul/2002 10:59:50 02549] [info] Init: Configuring temporary DH parameters (512/1024 bits) [10/Jul/2002 10:59:50 02549] [info] Init: Initializing (virtual) servers for SSL [10/Jul/2002 10:59:50 02549] [info] Init: Configuring server bree.dif.um.es:443 for SSL protocol [10/Jul/2002 10:59:58 02552] [info] Connection to child 0 established (server bree.dif.um.es:443, client 155.54.95.12) [10/Jul/2002 10:59:58 02552] [info] Seeding PRNG with 1160 bytes of entropy [10/Jul/2002 10:59:58 02552] [error] Certificate Verification: Error (19): self signed certificate in certificate chain [10/Jul/2002 10:59:58 02552] [error] SSL handshake failed (server bree.dif.um.es:443, client 155.54.95.12) (OpenSSL library error follows) [10/Jul/2002 10:59:58 02552] [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned I think it's a problem of Apache ssl configuration but I'm not sure. Any idea? Thanks a lot, Gabi. -- ------------------------------------------------- Gabriel Lopez Millan - Grupo ANTS-CIRCuS Facultad de Informática Universidad de Murcia (España) Tfo: +34 968367645 ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]