hello everyone - first time post.
I am implementing certificate based authentication on an Apache server
(2.4.39) with OCSP enabled. An end user must have a valid digital
certificate from a trusted CA to access my Web site.
Here are the Apache directives:
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/manage.pseudo-nym.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/manage.pseudo-nym.com.key
SSLCertificateChainFile /etc/pki/tls/certs/manage.pseudo-nym.com.bundle
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLCACertificateFile
/etc/pki/tls/certs/PseudoNymCAManagement.cacert.pem
SSLVerifyClient on
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData
SSLOCSPEnable leaf
SSLOCSPDefaultResponder "http://verify.pseudo-nym.com";
SSLOCSPOverrideResponder on
RewriteEngine On
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule (.*)
http://www.pseudo-nym.com/content/no-credential [R]
Everything works well when 1) no client certificate is available
(redirect to an external web page) and 2) a certificate is validated
successfully (user is redirected to the web site).
However, I am having a problem handling a revoked certificate.
Currently, when a user accesses my site with a revoked certificate, a
default error is shown on a blank page: ERR_BAD_SSL_CLIENT_AUTH_CERT
I'd like to redirect the user to a more informational page.
Is there a OCSP status similar to SSL_CLIENT_VERIFY that I can use to
redirect the user?
I've looked everywhere and can't find any information.
Thanks in advance.
--
------------------------------------------------------------------------
Richard J. Van Horn
