On Mon, Jun 07, 2010, Scott Thomas wrote: > Bonjour All Users, > > > My setup has a ROOT CA and 3 level of Sub CA's. I have generated apache web > server and client certificates from every the ROOT and Sub CA's. > > I have configured my APACHE web server for client certificate (mutual) > authentication. I have generated the apache web server certificate and > client certificates from the ROOT CA with proper extensions. In case of Root > CA, it works well. Mutual authentication works fine. > > In case of Sub CA, the apache web server certifictae and client certificates > are generated by SubCA with the same extensions/profile as in case of ROOT > CA. But when i try to authenticate users from Sub CA's then following error > occurs "unhandled critical extension". SSLCACertificateFile contains the > concatenated certifcates of all the CA's( issuing CA certtificate is at top > and Root ca certificate is at bottom of this file) > >
Well the message is clear enough. A certificate in the chain includes a critical extension that OpenSSL does not handle. Without seeing the extensions in each certificate it isn't clear which one is causing the problem. Try this command: openssl verify -CAfile root.pem -untrusted subcas.pem client.pem Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org