Mutual Authentication using Multiple CA's in Apache (mod_ssl) does not work
Bonjour All Users,
My setup has a ROOT CA and 3 level of Sub CA's. I have generated apache web
server and client certificates from every the ROOT and Sub CA's.
I have configured my APACHE web server for client certificate (mutual)
authentication. I have generated the apache web server certificate and client
certificates from the ROOT CA with proper extensions. In case of Root CA, it
works well. Mutual authentication works fine.
In case of Sub CA, the apache web server certifictae and client certificates
are generated by SubCA with the same extensions/profile as in case of ROOT CA.
But when i try to authenticate users from Sub CA's then following error occurs
unhandled critical extension. SSLCACertificateFile contains the concatenated
certifcates of all the CA's( issuing CA certtificate is at top and Root ca
certificate is at bottom of this file)
Here is my vhost file
NameVirtualHost *:80
NameVirtualHost *:443
VirtualHost *:80
DocumentRoot /srv/www/htdocs/
ServerName XX
RewriteEngine On
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
/VirtualHost
VirtualHost *:443
DocumentRoot /srv/www/htdocs/
ServerName X
SSLEngine on
SSLCipherSuite HIGH
SSLProtocol all -SSLv2
SSLCertificateFile /etc/apache2/certificates/cert.pem
SSLCertificateKeyFile /etc/apache2/certificates/key.pem
SSLCACertificateFile /etc/apache2/certificates/chain.pem
#SSLCertificateChainFile /etc/apache2/certificates/chain.pem
//chain.pem contains all the upper level certificates concanetated such that
(1st certificate is of issuing CA , going downward towards the root CA...
// i have also tried with the SSLCertificateChainFile directive but the error
is same ...
Directory /srv/www/htdocs/
SSLVerifyClient require
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_CN} eq
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
/Directory
/VirtualHost
I am using OpenSSL version 0.9.8h release 28 May 2008 and Apache version
2.2.10-2.5
Kindly guide me in this aspect.
Waiting for your kind Reply
Best Regards
Scott Thomas
Re: Mutual Authentication using Multiple CA's in Apache (mod_ssl) does not work
On Mon, Jun 07, 2010, Scott Thomas wrote: Bonjour All Users, My setup has a ROOT CA and 3 level of Sub CA's. I have generated apache web server and client certificates from every the ROOT and Sub CA's. I have configured my APACHE web server for client certificate (mutual) authentication. I have generated the apache web server certificate and client certificates from the ROOT CA with proper extensions. In case of Root CA, it works well. Mutual authentication works fine. In case of Sub CA, the apache web server certifictae and client certificates are generated by SubCA with the same extensions/profile as in case of ROOT CA. But when i try to authenticate users from Sub CA's then following error occurs unhandled critical extension. SSLCACertificateFile contains the concatenated certifcates of all the CA's( issuing CA certtificate is at top and Root ca certificate is at bottom of this file) Well the message is clear enough. A certificate in the chain includes a critical extension that OpenSSL does not handle. Without seeing the extensions in each certificate it isn't clear which one is causing the problem. Try this command: openssl verify -CAfile root.pem -untrusted subcas.pem client.pem Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
