All, I am working in an environment utilizing a PKI consisting of several Root and Intermediate Certificate Authorities. In order to reduce the overhead when requiring client authentication using digital certificates, I am using the following two directives:
SSLCACertificatePath – Used for Root and Intermediate CAs SSLCARevocationPath – Used to Process Certificate Revocation Lists I’ve yet to encounter a version of Apache and Mod_SSL performing proper path validation. If a user presents a certificate that is revoked, but not included in the directory containing all the PEM/Base64 encoded CRL files and associated symbolic links, Apache allows access. If a user presents a certificate issued from an Intermediate Certificate Authority that is not included in the directory containing all the Root and Intermediate CA certificates in PEM/Base64 encoded format and associated symbolic links, he/she is allowed access. I would prefer the system to validate the entire chain and not allow access in the event a local CRL file or Intermediate CA certificate is not available. By default, IIS performs this path validation correctly. If IIS does not have a current CRL file issued by each and every CA in the certificate path, the client is denied access. If IIS does not have a certificate from each and every CA in the certificate path, the client is denied access. I am trying to automate the process of updating the CA certificate directory and associated CRL directories by scheduling a job to run on a nightly basis. If Apache has a local CRL and CA certificate from each and every CA in the path used to issue the client certificates, then all checks are performed and the client is properly validated. I would prefer the system default to “Closed” instead of “Open” in the event an Intermediate CA certificate is unavailable or no CRL file is available. Again, the system must have at least one CA certificate trusted and available locally, but no CRL files. Note: I have issued a client certificate from a client certificate issued by on of the Intermediate CAs and Apache does deny access because the key usage of the client certificate does not allow it to be used as a Root CA and issue additional client certificates. I used OpenSSL in order to issue client certificates from a client certificate. This type of path validation seems to work on all the versions of Apache and Mod_SSL I’ve tested. Thanks ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
