Hi all, I'm trying to configure client authentication for one of my sites (SuSe 9.0, apache 2.0.48, openssl-0.9.7b-133 distribution's rpm). You will find below the steps I'm following, the problem I have is that, when I go to the page, it first asks me to accept the server's certificate, then ask me to select one of the client certificate imported in the browser, and then: - on IE, it gives me the error "Cannot find server or DNS Error" - on Firefox, it gives me a blank page
In the apache log file [Tue Jul 12 15:03:41 2005] [error] Re-negotiation handshake failed: Not accepted by client!? [Tue Jul 12 15:03:43 2005] [notice] child pid 9192 exit signal Segmentation fault (11) If I remove "SSLVerifyCLient require" and authenticate only the server, I can see the right web page. After several unsuccessful test, I'm wondering whether I'm missing something Here are the steps I follow: 1 Generate my own Certificate Authority: openssl genrsa -out itcilo-ca.key 2048 openssl req -new -x509 -days 3650 -key itcilo-ca.key -out itcilo-ca.crt 2 Generate the server key and request for signing openssl genrsa -out tomcat-server.key 1024 openssl req -new -key tomcat-server.key -out tomcat-server.csr 3 Sign the certificate signing request with the self-created certificate authority openssl x509 -req -in tomcat-server.csr -out tomcat-server.crt -sha1 -CA itcilo-ca.crt -CAkey itcilo-ca.key -days 3650 I had to create an itcilo-ca.srl file (echo "01" >itcilo-ca.srl) 4 Create a new private key and a certificate request for the user: openssl genrsa -out lams.key 1024 openssl req -new -key lams.key -out lams.csr 5 Sign the certificate request, thereby creating the client certificate: openssl x509 -req -in lams.csr -out lams.crt -sha1 -CA itcilo-ca.crt -CAkey itcilo-ca.key -days 3650 6 Generate the PKCS#12 certificate: openssl pkcs12 -export -in lams.crt -inkey lams.key -name "Lams Gael Cert" -out lams.p12 7 Import the certificate into the browser And here is my virtual host configuration: <VirtualHost *:443> ServerAdmin myemailaddress DocumentRoot /srv/www/vhosts/myfqdn ServerName myfqdn SSLEngine on SSLCertificateFile /etc/apache2/ssl.crt/tomcat-server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/tomcat-server.key SSLCACertificateFile /etc/apache2/ssl.crt/itcilo-ca.crt </VirtualHost> <Directory /srv/www/vhosts/myfqdn> SSLRequireSSL SSLVerifyCLient require SSLVerifyDepth 1 Options Indexes AllowOverride None Order allow,deny Allow from all </Directory> Any help, pointer would be greatly appreciated Regards, gaël ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
