Hello, >> So can you confirm that entering "Tools->Internet >> Options->Content->Certificates" shows "Personal" certs, and that if you >> "View" them it states there's a private key associated with that cert? >> And then confirm that the CA that signed that cert is one trusted by >> Apache via SSLCACertificateFile or SSLCACertificatePath (those should >> point to copies of the CA public keys - not the same cert that is on the >> client. I can't figure out from your mail if you've already worked that >> out, so sorry if that's pointing out the bleeding obvious ;-)
Yes, I have a Verisign Class 1 personal certificate. It stats that: "You have a private key that corresponds to this certificate". I asked versign for the certificate that signed my cert and they sent it to me. It was base64, I converted to what appears to be a PEM format. I have this file (verisign.pem) as my SSLCACertificateFile and manually created the hash link to it. So right now I have this included within this servers virtualhost: # Config for the Client Side Certificates SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile /export/CA/certs/verisign.pem SSLCACertificatePath /export/CA/certs SSLProtocol ALL SSLCipherSuite ALL <Location /> SSLRequire %{REMOTE_ADDR} =~ m/^x\.x\.x\.[0-9]+$/ </Location> </VirtualHost> And the certs dir has 1 link and 1 file: lrwxrwxrwx 1 root other 12 Nov 2 10:57 c19d42c7.0 -> verisign.pem -rw-r--r-- 1 root other 3028 Nov 2 10:49 verisign.pem >> That's what SSLCACertificateFile or SSLCACertificatePath is about. You >> can use that to restrict what client certs you support down to just >> those signed by those CAs. To further restrict to a subselection, see >> mod_ssl documentation for SSLRequire - e.g. >> >> SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ >> and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} I see. Thanks for the tip. To keep this simple I am using SSLRequire and check for my IP.. I continue to get the blank pop-up window that asks me to select a cert. I rebooted my laptop for good measure. The same error appears in my apache error log. [Wed Nov 2 11:20:17 2005] [error] mod_ssl: SSL handshake failed (server ice.choiceonecom.com:443, client 216.153.201.171) (OpenSSL library error follows) [Wed Nov 2 11:20:17 2005] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] Is my verisign.pem in the wrong format? Certificate: Data: Version: 1 (0x0) Serial Number: 39:ca:54:89:fe:50:22:32:fe:32:d9:db:fb:1b:84:19 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network Validity Not Before: May 18 00:00:00 1998 GMT Not After : May 18 23:59:59 2018 GMT Subject: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:aa:d0:ba:be:16:2d:b8:83:d4:ca:d2:0f:bc:76: 31:ca:94:d8:1d:93:8c:56:02:bc:d9:6f:1a:6f:52: 36:6e:75:56:0a:55:d3:df:43:87:21:11:65:8a:7e: 8f:bd:21:de:6b:32:3f:1b:84:34:95:05:9d:41:35: eb:92:eb:96:dd:aa:59:3f:01:53:6d:99:4f:ed:e5: e2:2a:5a:90:c1:b9:c4:a6:15:cf:c8:45:eb:a6:5d: 8e:9c:3e:f0:64:24:76:a5:cd:ab:1a:6f:b6:d8:7b: 51:61:6e:a6:7f:87:c8:e2:b7:e5:34:dc:41:88:ea: 09:40:be:73:92:3d:6b:e7:75 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 8b:f7:1a:10:ce:76:5c:07:ab:83:99:dc:17:80:6f:34:39:5d: 98:3e:6b:72:2c:e1:c7:a2:7b:40:29:b9:78:88:ba:4c:c5:a3: 6a:5e:9e:6e:7b:e3:f2:02:41:0c:66:be:ad:fb:ae:a2:14:ce: 92:f3:a2:34:8b:b4:b2:b6:24:f2:e5:d5:e0:c8:e5:62:6d:84: 7b:cb:be:bb:03:8b:7c:57:ca:f0:37:a9:90:af:8a:ee:03:be: 1d:28:9c:d9:26:76:a0:cd:c4:9d:4e:f0:ae:07:16:d5:be:af: 57:08:6a:d0:a0:42:42:42:1e:f4:20:cc:a5:78:82:95:26:38: 8a:47 -----BEGIN CERTIFICATE----- MIIDAjCCAmsCEDnKVIn+UCIy/jLZ2/sbhBkwDQYJKoZIhvcNAQEFBQAwgcExCzAJ BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh c3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X DTk4MDUxODAwMDAwMFoXDTE4MDUxODIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5 MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCq0Lq+Fi24g9TK0g+8djHKlNgdk4xWArzZbxpvUjZudVYK VdPfQ4chEWWKfo+9Id5rMj8bhDSVBZ1BNeuS65bdqlk/AVNtmU/t5eIqWpDBucSm Fc/IReumXY6cPvBkJHalzasab7bYe1FhbqZ/h8jit+U03EGI6glAvnOSPWvndQID AQABMA0GCSqGSIb3DQEBBQUAA4GBAIv3GhDOdlwHq4OZ3BeAbzQ5XZg+a3Is4cei e0ApuXiIukzFo2penm574/ICQQxmvq37rqIUzpLzojSLtLK2JPLl1eDI5WJthHvL vrsDi3xXyvA3qZCviu4Dvh0onNkmdqDNxJ1O8K4HFtW+r1cIatCgQkJCHvQgzKV4 gpUmOIpH -----END CERTIFICATE----- -Raymond ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]