Sorry to everybody, this is a long post. I am having trouble getting client auth going (been trying it for 8hrs). I am running fbsd4.5-release, apache 1.3.23 and mod_ssl 2.8.7.
Error Log ========= [26/Mar/2002 12:45:19 14664] [info] Connection to child 5 established (server w ebmail.ipfw.org:443, client 192.168.111.254) [26/Mar/2002 12:45:19 14664] [info] Seeding PRNG with 23177 bytes of entropy [26/Mar/2002 12:45:19 14664] [error] Certificate Verification: Error (20): unabl e to get local issuer certificate I enclosed the steps that I did to create CA, Server and client cert and my httpd.conf. Pls take you time and read it. Any help will be greatly appreciated. TIA. Create CA ========= zeus:incoming# openssl genrsa -des3 -out ca.key 1024 warning, not much extra random data, consider using the -rand option Generating RSA private key, 1024 bit long modulus ......................................++++++ .++++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: zeus:incoming# openssl req -new -x509 -days 365 -key ca.key -out ca.crt Using configuration from /etc/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:Ontario Locality Name (eg, city) []:Mississauga Organization Name (eg, company) [Internet Widgits Pty Ltd]:ipfw CA Organizational Unit Name (eg, section) []:Certificate Authorize^C zeus:incoming# openssl req -new -x509 -days 365 -key ca.key -out ca.crt Using configuration from /etc/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:Ontario Locality Name (eg, city) []:Mississauga Organization Name (eg, company) [Internet Widgits Pty Ltd]:ipfw.org Organizational Unit Name (eg, section) []:Certificate Authority Common Name (eg, YOUR name) []:webmail.ipfw.org Email Address []:[EMAIL PROTECTED] zeus:incoming# ll total 19 drwxr-xr-x 2 webbie webbie 512 Mar 26 12:21 . drwx------ 9 webbie webbie 1024 Mar 26 00:57 .. -rw-r--r-- 1 root webbie 1346 Mar 26 12:21 ca.crt -rw-r--r-- 1 root webbie 963 Mar 26 12:19 ca.key -rwxr-xr-x 1 webbie webbie 1784 Mar 26 03:11 sign.sh CA creation done, now make the server key. =========================================== zeus:incoming# openssl genrsa -des3 -out server.key 1024 warning, not much extra random data, consider using the -rand option Generating RSA private key, 1024 bit long modulus ......++++++ ........................................++++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: zeus:incoming# openssl req -new -key server.key -out server.csr Using configuration from /etc/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:Ontario Locality Name (eg, city) []:Mississauga Organization Name (eg, company) [Internet Widgits Pty Ltd]:ipfw.org Organizational Unit Name (eg, section) []:WebServer Team Common Name (eg, YOUR name) []:webmail.ipfw.org Email Address []:[EMAIL PROTECTED] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: zeus:incoming# ll -rt total 21 drwx------ 9 webbie webbie 1024 Mar 26 00:57 .. -rwxr-xr-x 1 webbie webbie 1784 Mar 26 03:11 sign.sh -rw-r--r-- 1 root webbie 963 Mar 26 12:19 ca.key -rw-r--r-- 1 root webbie 1346 Mar 26 12:21 ca.crt -rw-r--r-- 1 root webbie 963 Mar 26 12:22 server.key -rw-r--r-- 1 root webbie 716 Mar 26 12:23 server.csr drwxr-xr-x 2 webbie webbie 512 Mar 26 12:23 . Now, I am going to sign my server cert using my own CA ====================================================== zeus:incoming# ./sign.sh server.csr CA signing: server.csr -> server.crt: Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'CA' stateOrProvinceName :PRINTABLE:'Ontario' localityName :PRINTABLE:'Mississauga' organizationName :PRINTABLE:'ipfw.org' organizationalUnitName:PRINTABLE:'WebServer Team' commonName :PRINTABLE:'webmail.ipfw.org' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Mar 26 17:25:23 2003 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: OK zeus:incoming# ll total 27 drwxr-xr-x 3 webbie webbie 512 Mar 26 12:25 . drwx------ 9 webbie webbie 1024 Mar 26 00:57 .. -rw-r--r-- 1 root webbie 1346 Mar 26 12:21 ca.crt drwxr-xr-x 2 root webbie 512 Mar 26 12:25 ca.db.certs -rw-r--r-- 1 root webbie 126 Mar 26 12:25 ca.db.index -rw-r--r-- 1 root webbie 3 Mar 26 12:25 ca.db.serial -rw-r--r-- 1 root webbie 963 Mar 26 12:19 ca.key -rw-r--r-- 1 root webbie 2745 Mar 26 12:25 server.crt -rw-r--r-- 1 root webbie 716 Mar 26 12:23 server.csr -rw-r--r-- 1 root webbie 963 Mar 26 12:22 server.key -rwxr-xr-x 1 webbie webbie 1785 Mar 26 12:24 sign.sh Now, I am going to create my client cert and sign with my own CA ================================================================ zeus:incoming# openssl genrsa -des3 -out kingkong.key 1024 warning, not much extra random data, consider using the -rand option Generating RSA private key, 1024 bit long modulus .......++++++ .................++++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: zeus:incoming# openssl req -new -key kingkong.key -out kingkong.csr Using configuration from /etc/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:Ontario Locality Name (eg, city) []:Mississauga Organization Name (eg, company) [Internet Widgits Pty Ltd]:ipfw.org Organizational Unit Name (eg, section) []:kingkong Common Name (eg, YOUR name) []:kingkong Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: zeus:incoming# ./sign.sh kingkong.csr CA signing: kingkong.csr -> kingkong.crt: Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'CA' stateOrProvinceName :PRINTABLE:'Ontario' localityName :PRINTABLE:'Mississauga' organizationName :PRINTABLE:'ipfw.org' organizationalUnitName:PRINTABLE:'kingkong' commonName :PRINTABLE:'kingkong' Certificate is to be certified until Mar 26 17:37:13 2003 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: kingkong.crt <-> CA cert kingkong.crt: OK zeus:incoming# ll total 32 drwxr-xr-x 3 webbie webbie 512 Mar 26 12:37 . drwx------ 9 webbie webbie 1024 Mar 26 00:57 .. -rw-r--r-- 1 root webbie 1346 Mar 26 12:21 ca.crt drwxr-xr-x 2 root webbie 512 Mar 26 12:37 ca.db.certs -rw-r--r-- 1 root webbie 220 Mar 26 12:37 ca.db.index -rw-r--r-- 1 root webbie 3 Mar 26 12:37 ca.db.serial -rw-r--r-- 1 root webbie 963 Mar 26 12:19 ca.key -rw-r--r-- 1 root webbie 2656 Mar 26 12:37 kingkong.crt -rw-r--r-- 1 root webbie 660 Mar 26 12:36 kingkong.csr -rw-r--r-- 1 root webbie 963 Mar 26 12:34 kingkong.key -rw-r--r-- 1 root webbie 2745 Mar 26 12:25 server.crt -rw-r--r-- 1 root webbie 716 Mar 26 12:23 server.csr -rw-r--r-- 1 root webbie 963 Mar 26 12:22 server.key -rwxr-xr-x 1 webbie webbie 1785 Mar 26 12:24 sign.sh Export the key to IE5 ====================== zeus:incoming# openssl pkcs12 -export -in kingkong.crt -inkey kingkong.key -certfile ca.crt -name "webmail.ipfw.org" -out kingkong.p12 Enter PEM pass phrase: Enter Export Password: Verifying password - Enter Export Password: zeus:incoming# ll total 35 drwxr-xr-x 3 webbie webbie 512 Mar 26 12:38 . drwx------ 9 webbie webbie 1024 Mar 26 00:57 .. -rw-r--r-- 1 root webbie 1346 Mar 26 12:21 ca.crt drwxr-xr-x 2 root webbie 512 Mar 26 12:37 ca.db.certs -rw-r--r-- 1 root webbie 220 Mar 26 12:37 ca.db.index -rw-r--r-- 1 root webbie 3 Mar 26 12:37 ca.db.serial -rw-r--r-- 1 root webbie 963 Mar 26 12:19 ca.key -rw-r--r-- 1 root webbie 2656 Mar 26 12:37 kingkong.crt -rw-r--r-- 1 root webbie 660 Mar 26 12:36 kingkong.csr -rw-r--r-- 1 root webbie 963 Mar 26 12:34 kingkong.key -rw-r--r-- 1 root webbie 2758 Mar 26 12:38 kingkong.p12 -rw-r--r-- 1 root webbie 2745 Mar 26 12:25 server.crt -rw-r--r-- 1 root webbie 716 Mar 26 12:23 server.csr -rw-r--r-- 1 root webbie 963 Mar 26 12:22 server.key -rwxr-xr-x 1 webbie webbie 1785 Mar 26 12:24 sign.sh httpd.conf ========== [snip] <IfDefine SSL> <VirtualHost 24.112.xxx.0:443> ServerAdmin [EMAIL PROTECTED] DocumentRoot /opt/webmail.ipfw.org ServerName webmail.ipfw.org ErrorLog logs/webmail-error_log SSLEngine on SSLProtocol all SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /opt/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /opt/apache/conf/ssl.key/server.key SSLCertificateChainFile /opt/apache/conf/ssl.crt/ca.crt SSLCACertificatePath /opt/apache/conf/ssl.crt SSLVerifyClient require SSLVerifyDepth 1 <Files ~ "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </Files> <Directory "/opt/apache/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /opt/apache/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfDefine> -- Peter \\|// (o o) +-------------------------oOOo-(_)-oOOo-----------------------------+ EMail : mailto:pccb(at)ipfw(dot)org PGP Key : http://www.ipfw.org/pgpkey.txt PGP Fingerprint: 1379 3D8A 024E 3C0E 1962 4E12 3742 0684 C29C 3537 +-------------------------------------------------------------------+ Its the InterNIC's fault. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]