Hi! I try to use mod_ssl to protect a part of my site from all users except a few persons having client certificates signed by my _self-created_ CA key. I created my ca.crt and signed some csr files with it, and have no problems accessing the site with those.
I use the following httpd.conf options: > ... > <Location /private> > SSLVerifyClient require > SSLVerifyDepth 1 > SSLCACertificateFile "/path/to/my/ca.crt" > </Location> > ... But apache docs say: "... the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server". That means that _everybody_ can access the private part of my site by just creating a self-signed certificate and using it to authenticate himself/herself. Then, I wished to check whether it's so bad as the docs say. I created a self-signed certificate with the following commands and tried to authorize using the resulting clt.p12 > openssl genrsa -out clt.pem 1024 > openssl req -new -x509 -key clt.pem -out clt.crt -days 100 > openssl pkcs12 -export -inkey clt.pem -in clt.crt -out clt.p12 and I got error "The presented certificate has an unknown Certificate Authority." in my browser (opera 9.22). The server logs contained the following: > [error] Certificate Verification: Error (18): self signed certificate > [error] Re-negotiation handshake failed: Not accepted by client!? So, I see the docs don't mean what I think they mean... or I'm wrong somewhere (for example, in creating a self-signed certificate or in understanding what "self-signed certificate" means in the context of apache docs). So, here are the questions: 1. Are the docs correct? 2. Do I correctly understand that in any case (with any value of SSLVerifyDepth) everybody will be able to access the private part of my site (since everybody can create a self-signed certificate)? 3. If so, why cannot I use self-signed certificate to access my site? 4. Is there a way to gain access to the users with a certificate signed by my ca.crt only? I use Windows XP, Apache/2.2.6, mod_ssl/2.2.6, OpenSSL/0.9.8e, PHP/5.2.3. Help me, please... ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
