Hi!
How to set up apache mod_ssl to accept client certificates issued by one
specific intermediate?
Let's have certificates (ordered by issuer):
- root CA
- intermediate 1
- client 11
- client 12
- intermediate 2
- client 21
- client 22
I want to allow certificates 11 and 12 (and possible others issued by
"intermediate 1"), but not the others.
My naive approach was to add "intermediate 1" to the SSLCACertificateFile and
set SSLVerifyDepth to 1.
But that does not work.
It allows client to select their certificate issued by "intermediate 1" (and
not others), but when the connection goes on, it is refused.
Apache logs:
[error] Certificate Verification: Error (20): unable to get local issuer
certificate
The only way I found to make it accept this certificate is to add both "root
CA" and " intermediate 1" to the SSLCACertificateFile and set SSLVerifyDepth to
2 or more.
But this also allows certificates issued by " intermediate 2" which I do not
want.
How to solve this problem?
Fun fact: the almost same question was asked 16 years ago:
http://marc.info/?l=apache-ssl&m=97326252821385&w=2
With no answer.
PS: I use apache 2.2.3 with openssl 0.9.8a
David Balažic
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
