RE: Clientauthentication with Certificates and Apache

Thu, 16 Dec 2004 01:01:21 -0800 

Hi,

I thought that you must to put into your SSLCACertificateFile the RootCA and
Issuing SubCA-2 certificates (both in PEM) and modify your SSLVerifyDepth to
1.

It works in my servers.

bye

Juan Angel Martin Gomez
AC Camerfirma
Tel. +34 920252750  Fax +34 920252732
http://www.camerfirma.com


-----Mensaje original-----
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En
nombre de Fitzner Daniel
Enviado el: jueves, 16 de diciembre de 2004 8:33
Para: '[EMAIL PROTECTED]'
Asunto: Clientauthentication with Certificates and Apache

Hello guys,

I have following pki-environment:

                        RootCA
                        |       |
        Issuing SubCA-1 Issuing SubCA-2
        |                                       |
UserCert-A                                      UserCert-B

I want to make clientauthentication with certificates only for user with
certs from the Issuing SubCA-2.

So I made the follwing configuration:

SSLVerifyClient require
SSLCACertificateFile    CACHAIN.PEM
SSLVerifyDepth 2

CACHAIN.PEM includes the cert from RootCA and from the Issuing SubCA-2.

Now comes the problem. Not only users with certs from SubCA-2 can connect,
also users with certs from the SubCA-1 (f.i. UserCert-A) can connect.

How can I avoid this??? 

I tried to use only the certificate from SubCA-2 in the directive
(SSLCACertificateFile   SubCA-2.pem), but with this config noone can
connect, also not the clients with certs from SubCA-2.

I know the possibility to check for various ingredients of the client
certficate (http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particular)
but I don't want to use this. 

I readed an old post
(http://www.mail-archive.com/modssl-users@modssl.org/msg10335.html) in this
mailinglist. This post said, that users with certs from SubCA-1 should not
be connect.

Please help, I have no new ideas.

Best regards daniel



______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to