The issuer dn is the same; the pem file is a ca bundle.
On Sun, Mar 3, 2013 at 11:23 PM, Igor Cicimov <icici...@gmail.com> wrote:
>
> On 04/03/2013 7:33 AM, "Michele Mase'" <michele.m...@gmail.com> wrote:
> >
> > Anyone?
> >
> >
> > On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase' <michele.m...@gmail.com>
> wrote:
> >>
> >> I'm testing a client authentication using:
> >>
> >> SSLCACertificateFile /path/to/pemfile.pem
> >> <LocationMatch "/test">
> >> SSLVerifyClient require
> >> SSLVerifyDepth 2
> >> SSLOptions +StdEnvVars +ExportCertData
> >> SSLRequire %{SSL_CLIENT_I_DN} eq "/C=US/O=acme/OU=acme/CN=acme"
> >> /LocationMatch>
> >>
> >>
> >> I should use two different CA with the same DN (file
> /path/to/pemfile.pem)
> >> When i try to use this configuration I receive:
> >> Access totest denied for 10.10.10.10 (requirement expression not
> fulfilled)
> >> Failed expression: %{SSL_CLIENT_I_DN} eq ...
> >>
> >> The only way it works is without the SSLRequire directive.
> >> or
> >> Using only one CA in the file (file /path/to/pemfile.pem)
> >>
> >> Some suggestions?
> >>
> >> Regards
> >> Michele Masè
> >
> >
> Please paste the output of
>
> # openssl x509 -noout -in /path/to/pemfile.pem -text
>
> so we know what are we talking about here. If multiple dn in the file why
> are you trying to match one using eq then? Anyway, the above command will
> show us the issuer dn string and you can see what are you doing wrong.
>
