Hi, Same setup as works with both subCAs. Use the SSLRequire directive. Restrict on the client certs issuer field (SSL_CLIENT_I_DN...).
Regards Matt ----- Original Message ---- From: leanmeandonothingmachine <leanmeandonothingmach...@gmail.com> To: modssl-users@modssl.org Sent: Thursday, March 12, 2009 2:03:07 PM Subject: Client Verification with sub ca's I have a self signed ca, with multiple sub-ca's. root -sub-ca1 -sub-ca2 -server I sign client certificates with either -sub-ca1 or -sub-ca2, and use server to sign certificates for the actual website. So in my apache config, i have this: SSLEngine on SSLOptions +stdEnvVars SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/keys/test.crt SSLCertificateKeyFile /data/keys/test.key SSLCertificateChainFile /data/keys/chain.pem SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /data/keys/ca.pem test.crt is signed by server. chain.pem contains server and root in that order ca.pem contains sub-ca2 and root in that order Everything seems to work fine except for the fact that the website also excepts client certificates signed by sub-ca1. But I'm trying to restrict this site to only sub-ca2 clients. I tried: 1) removing the root from ca.pem, that gives me a "Certificate Verification: Error (2): unable to get issuer certificate" error. 2) removing the root from ca.pem adding sub-ca2 to chain.pem, same error. 3) changing SSLVerifyDepth to 1, that give me a "Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1)" error. Anyone know how to get apache to only allow clients from one sub-ca but not others signed by the same root? -- View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22469681.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org