Hello,
>> So can you confirm that entering "Tools->Internet
>> Options->Content->Certificates" shows "Personal" certs, and that if you
>> "View" them it states there's a private key associated with that cert?
>> And then confirm that the CA that signed that cert is one trusted by
>> Apache via SSLCACertificateFile or SSLCACertificatePath (those should
>> point to copies of the CA public keys - not the same cert that is on the
>> client. I can't figure out from your mail if you've already worked that
>> out, so sorry if that's pointing out the bleeding obvious ;-)
Yes, I have a Verisign Class 1 personal certificate.
It stats that:
"You have a private key that corresponds to this certificate".
I asked versign for the certificate that signed my cert and they sent it to
me. It was base64, I converted to what appears to be a PEM format. I have
this file (verisign.pem) as my SSLCACertificateFile and manually created the
hash link to it.
So right now I have this included within this servers virtualhost:
# Config for the Client Side Certificates
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /export/CA/certs/verisign.pem
SSLCACertificatePath /export/CA/certs
SSLProtocol ALL
SSLCipherSuite ALL
<Location />
SSLRequire %{REMOTE_ADDR} =~ m/^x\.x\.x\.[0-9]+$/
</Location>
</VirtualHost>
And the certs dir has 1 link and 1 file:
lrwxrwxrwx 1 root other 12 Nov 2 10:57 c19d42c7.0 ->
verisign.pem
-rw-r--r-- 1 root other 3028 Nov 2 10:49 verisign.pem
>> That's what SSLCACertificateFile or SSLCACertificatePath is about. You
>> can use that to restrict what client certs you support down to just
>> those signed by those CAs. To further restrict to a subselection, see
>> mod_ssl documentation for SSLRequire - e.g.
>>
>> SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
>> and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
I see. Thanks for the tip.
To keep this simple I am using SSLRequire and check for my IP..
I continue to get the blank pop-up window that asks me to select a cert.
I rebooted my laptop for good measure.
The same error appears in my apache error log.
[Wed Nov 2 11:20:17 2005] [error] mod_ssl: SSL handshake failed (server
ice.choiceonecom.com:443, client 216.153.201.171) (OpenSSL library error
follows)
[Wed Nov 2 11:20:17 2005] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]
Is my verisign.pem in the wrong format?
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
39:ca:54:89:fe:50:22:32:fe:32:d9:db:fb:1b:84:19
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary
Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized
use only, OU=VeriSign Trust Network
Validity
Not Before: May 18 00:00:00 1998 GMT
Not After : May 18 23:59:59 2018 GMT
Subject: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary
Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized
use only, OU=VeriSign Trust Network
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:aa:d0:ba:be:16:2d:b8:83:d4:ca:d2:0f:bc:76:
31:ca:94:d8:1d:93:8c:56:02:bc:d9:6f:1a:6f:52:
36:6e:75:56:0a:55:d3:df:43:87:21:11:65:8a:7e:
8f:bd:21:de:6b:32:3f:1b:84:34:95:05:9d:41:35:
eb:92:eb:96:dd:aa:59:3f:01:53:6d:99:4f:ed:e5:
e2:2a:5a:90:c1:b9:c4:a6:15:cf:c8:45:eb:a6:5d:
8e:9c:3e:f0:64:24:76:a5:cd:ab:1a:6f:b6:d8:7b:
51:61:6e:a6:7f:87:c8:e2:b7:e5:34:dc:41:88:ea:
09:40:be:73:92:3d:6b:e7:75
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
8b:f7:1a:10:ce:76:5c:07:ab:83:99:dc:17:80:6f:34:39:5d:
98:3e:6b:72:2c:e1:c7:a2:7b:40:29:b9:78:88:ba:4c:c5:a3:
6a:5e:9e:6e:7b:e3:f2:02:41:0c:66:be:ad:fb:ae:a2:14:ce:
92:f3:a2:34:8b:b4:b2:b6:24:f2:e5:d5:e0:c8:e5:62:6d:84:
7b:cb:be:bb:03:8b:7c:57:ca:f0:37:a9:90:af:8a:ee:03:be:
1d:28:9c:d9:26:76:a0:cd:c4:9d:4e:f0:ae:07:16:d5:be:af:
57:08:6a:d0:a0:42:42:42:1e:f4:20:cc:a5:78:82:95:26:38:
8a:47
-----BEGIN CERTIFICATE-----
MIIDAjCCAmsCEDnKVIn+UCIy/jLZ2/sbhBkwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
c3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
DTk4MDUxODAwMDAwMFoXDTE4MDUxODIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMSBQdWJsaWMg
UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCq0Lq+Fi24g9TK0g+8djHKlNgdk4xWArzZbxpvUjZudVYK
VdPfQ4chEWWKfo+9Id5rMj8bhDSVBZ1BNeuS65bdqlk/AVNtmU/t5eIqWpDBucSm
Fc/IReumXY6cPvBkJHalzasab7bYe1FhbqZ/h8jit+U03EGI6glAvnOSPWvndQID
AQABMA0GCSqGSIb3DQEBBQUAA4GBAIv3GhDOdlwHq4OZ3BeAbzQ5XZg+a3Is4cei
e0ApuXiIukzFo2penm574/ICQQxmvq37rqIUzpLzojSLtLK2JPLl1eDI5WJthHvL
vrsDi3xXyvA3qZCviu4Dvh0onNkmdqDNxJ1O8K4HFtW+r1cIatCgQkJCHvQgzKV4
gpUmOIpH
-----END CERTIFICATE-----
-Raymond
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
