Create a new self-signed client CA certificate with the same key and Subject, setting the Issuer to the Subject of the client CA, and signed with the client CA private key. Use this as your client-authenticatior "root".
Alternatively, you might play around with policies, but that relies on your hierarchy already having policies in its certificates. -Kyle H On Mar 8, 2013 3:18 PM, "Ian Pilcher" <arequip...@gmail.com> wrote: > +---------+ > | Root CA | > +---------+ > /\ > / \ > / \ > / \ > / \ > / \ > / \ > / \ > +-----------+ +-----------+ > | Server CA | | Client CA | > +-----------+ +-----------+ > > Given the above CA hierarchy, how can I configure a (server) SSL_CTX to > accept connections *only* from clients which present a certificate > signed by the Client CA? > > As is well documented, I cannot simply trust the Client CA. > SSL_accept() will fail, because it cannot form a certificate chain all > the way to the self-signed Root CA. > > I have found, however, that adding the Root CA certificate to the > trusted certificate file/directory causes certificates signed by the > Server CA to be accepted as well. (The client has to present both its > certificate and the Server CA certificate, but it is able to connect.) > > So how can I do this? Thanks! > > -- > ======================================================================== > Ian Pilcher arequip...@gmail.com > Sometimes there's nothing left to do but crash and burn...or die trying. > ======================================================================== > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >