Re: [users@httpd] Mac OS X and SSL Client Certitficates

Mon, 15 Oct 2012 07:00:18 -0700 

On October 12, 2012 10:41 , Tom Browder <tom.brow...@gmail.com> wrote:

I have successfully generated SSL client certs (generated with openssl
1.0.1c) used by Safari, Firefox, and Chrome on Linux and Windows plus
IE 9 on Windows, but I cannot get successful access with either Safari
or Firefox on Mac OS X.



I think it is strange that you are having problems with both Safari and 
Firefox under MacOS X, because Firefox does not use Apple's keychain, as 
far as I know -- it uses its own, independent keystore.



Is your client certificate directly signed by a root certificate, or are 
there one or more intermediate CAs involved?  If there are intermediate 
CAs, make sure that the intermediate certs are also imported into 
Apple's Keychain (Safari) or Firefox's certificate/key database.



If you don't have anything better to try, see if you can reproduce the 
problem from a terminal window on MacOS X, using the copies of the 
certificate and private key that you previously imported into Apple 
Keychain:



openssl s_client -connect site.example.org:443 -verify 10 -cert 
/path/to/client/certificate.cert -key /path/to/client/key.key -CAfile 
/path/to/client/cert/CA-certificate.cert -showcerts -debug



If you get an "SSL-session:" block of output ending with the line 
"Verify return code: 0 (ok)", then issue an HTTP/1.1 request for a 
resource that *requires* a client certificate (see below for a warning 
about using "SSLVerifyClient optional"):


GET /path/to/client/cert/required/page.html HTTP/1.1
Host: site.example.com


Be sure to press Return twice after the Host header.  You should get the 
protected page as output; if you don't, you might have reproduced the 
problem, and it's very likely that a clue is in openssl's output 
somewhere.  Press Control-D to exit openssl.




The Apache (2.2.14, Ubuntu) site has this configuration, in server
context, that gives the option to present a certificate:

  SSLVerifyClient optional



I recommend changing this to "SSLVerifyClient required".  I've had 
problems with Safari 6.x when "SSLVerifyClient optional" was set 
(although this worked just fine with Firefox 15 under MacOS X, so I 
don't think this is the only source of your problem with Safari client 
certificates).


Sorry I don't have any better advice.

--
  Mark Montague
  m...@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org























					Reply via email to