Hi, I thought that you must to put into your SSLCACertificateFile the RootCA and Issuing SubCA-2 certificates (both in PEM) and modify your SSLVerifyDepth to 1.
It works in my servers. bye Juan Angel Martin Gomez AC Camerfirma Tel. +34 920252750 Fax +34 920252732 http://www.camerfirma.com -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Fitzner Daniel Enviado el: jueves, 16 de diciembre de 2004 8:33 Para: '[EMAIL PROTECTED]' Asunto: Clientauthentication with Certificates and Apache Hello guys, I have following pki-environment: RootCA | | Issuing SubCA-1 Issuing SubCA-2 | | UserCert-A UserCert-B I want to make clientauthentication with certificates only for user with certs from the Issuing SubCA-2. So I made the follwing configuration: SSLVerifyClient require SSLCACertificateFile CACHAIN.PEM SSLVerifyDepth 2 CACHAIN.PEM includes the cert from RootCA and from the Issuing SubCA-2. Now comes the problem. Not only users with certs from SubCA-2 can connect, also users with certs from the SubCA-1 (f.i. UserCert-A) can connect. How can I avoid this??? I tried to use only the certificate from SubCA-2 in the directive (SSLCACertificateFile SubCA-2.pem), but with this config noone can connect, also not the clients with certs from SubCA-2. I know the possibility to check for various ingredients of the client certficate (http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particular) but I don't want to use this. I readed an old post (http://www.mail-archive.com/modssl-users@modssl.org/msg10335.html) in this mailinglist. This post said, that users with certs from SubCA-1 should not be connect. Please help, I have no new ideas. Best regards daniel ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]