Hello guys,
I have following pki-environment:
RootCA
| |
Issuing SubCA-1 Issuing SubCA-2
| |
UserCert-A UserCert-B
I want to make clientauthentication with certificates only for user with certs
from the Issuing SubCA-2.
So I made the follwing configuration:
SSLVerifyClient require
SSLCACertificateFile CACHAIN.PEM
SSLVerifyDepth 2
CACHAIN.PEM includes the cert from RootCA and from the Issuing SubCA-2.
Now comes the problem. Not only users with certs from SubCA-2 can connect, also
users with certs from the SubCA-1 (f.i. UserCert-A) can connect.
How can I avoid this???
I tried to use only the certificate from SubCA-2 in the directive
(SSLCACertificateFile SubCA-2.pem), but with this config noone can connect,
also not the clients with certs from SubCA-2.
I know the possibility to check for various ingredients of the client
certficate (http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particular) but
I don't want to use this.
I readed an old post
(http://www.mail-archive.com/modssl-users@modssl.org/msg10335.html) in this
mailinglist. This post said, that users with certs from SubCA-1 should not be
connect.
Please help, I have no new ideas.
Best regards daniel
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
