The issuer dn is the same; the pem file is a ca bundle.
On Sun, Mar 3, 2013 at 11:23 PM, Igor Cicimov <icici...@gmail.com> wrote: > > On 04/03/2013 7:33 AM, "Michele Mase'" <michele.m...@gmail.com> wrote: > > > > Anyone? > > > > > > On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase' <michele.m...@gmail.com> > wrote: > >> > >> I'm testing a client authentication using: > >> > >> SSLCACertificateFile /path/to/pemfile.pem > >> <LocationMatch "/test"> > >> SSLVerifyClient require > >> SSLVerifyDepth 2 > >> SSLOptions +StdEnvVars +ExportCertData > >> SSLRequire %{SSL_CLIENT_I_DN} eq "/C=US/O=acme/OU=acme/CN=acme" > >> /LocationMatch> > >> > >> > >> I should use two different CA with the same DN (file > /path/to/pemfile.pem) > >> When i try to use this configuration I receive: > >> Access totest denied for 10.10.10.10 (requirement expression not > fulfilled) > >> Failed expression: %{SSL_CLIENT_I_DN} eq ... > >> > >> The only way it works is without the SSLRequire directive. > >> or > >> Using only one CA in the file (file /path/to/pemfile.pem) > >> > >> Some suggestions? > >> > >> Regards > >> Michele Masè > > > > > Please paste the output of > > # openssl x509 -noout -in /path/to/pemfile.pem -text > > so we know what are we talking about here. If multiple dn in the file why > are you trying to match one using eq then? Anyway, the above command will > show us the issuer dn string and you can see what are you doing wrong. >