Hi,
I have the following CA structure:
Root CA (cacert.pem)
|
|_ sub CA 'A' (subcaacert.pem)
|
|_ sub CA 'B' (subcabcert.pem)
The idea is give web access for certificates which are issued by sub CA
'A'. Certificates issued by sub CA must be rejected. I don't want to use
things like SSLRequire directive to match certain fields in the
certificate, but I want to use the structure of the CA. I use Apache 2.2.4.
Here is my first Apache configuration:
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /<path-to>/cachain.pem
SSLCertificateFile /<path-to>/cert.pem
SSLCertificateKeyFile /<path-to>/key.pem
cachain.pem contains the Root CA and the sub CA 'A'. The cipher-blocks
are added in the file in the described order. And I have also tried when
the two certificates were merged like:
openssl x509 -outform PEM -in subcaacert.pem -in subcabcert.pem -out
cachain.pem
When I connect with a certificate which is issued by sub CA 'A', I get
the following error:
certificate chain too long (chain has 2 certificates, but maximum
allowed are only 1)
It seems that the certificate chain length is greater than the supplied
maximum depth. So, I changed to the following configuration:
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /<path-to>/cachain.pem
SSLCertificateFile /<path-to>/cert.pem
SSLCertificateKeyFile /<path-to>/key.pem
I'm able to authenticate with my certificate, issued by sub CA 'A'. But
I can also authenticate with a certificate which is issued by sub CA 'B'.
Instead of using SSLCACertificateFile I tried to use SSLCACertificatePath.
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificatePath /<path-to>/
SSLCertificateFile /<path-to>/cert.pem
SSLCertificateKeyFile /<path-to>/key.pem
The directory where SSLCACertificatePath refers to, contains cacert.pem
and subcaacert.pem. Also, hash symlinks are created in that directory
with the Makefile
(http://search.cpan.org/src/MADWOLF/OpenCA-PKCS7-0.9.13/test/chain/Makefile).
When I connect with a certificate issued by sub CA 'A' I get the
following error:
Certificate Verification: Error (20): unable to get local issuer certificate
I'm kinda stuck at the moment. I have tried to google for some
solutions, but I haven't found anything that is useful.
Can anyone advice me on how to solve this issue?
Thanks in advance for any help.
Kind regards,
Carol
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
