I'm not sure if this command for signing the client certificate is correct as I don't see your corresponding openssl config and if it sets the correct keyUsage and extensions: sign client CSR openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
I usually use this command and it works fine: openssl ca -config intermediate/openssl.cnf -extensions usr_cert -days 375 -notext -md sha256 -in intermediate/csr/www.example.com.csr.pem -out intermediate/certs/www.example.com.cert.pem With this openssl.cnf ``` # OpenSSL intermediate CA configuration file. # Copy to `/root/ca/intermediate/openssl.cnf`. [ ca ] # `man ca` default_ca = CA_default [ CA_default ] # Directory and file locations. dir = /root/ca/intermediate certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial RANDFILE = $dir/private/.rand # The root key and root certificate. private_key = $dir/private/intermediate.key.pem certificate = $dir/certs/intermediate.cert.pem # For certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/intermediate.crl.pem crl_extensions = crl_ext default_crl_days = 30 # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 375 preserve = no policy = policy_loose [ policy_strict ] # The root CA should only sign intermediate certificates that match. # See the POLICY FORMAT section of `man ca`. countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. # See the POLICY FORMAT section of the `ca` man page. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] # Options for the `req` tool (`man req`). default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 # Extension to add when the -x509 option is used. x509_extensions = v3_ca [ req_distinguished_name ] # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address # Optionally, specify some defaults. countryName_default = GB stateOrProvinceName_default = England localityName_default = 0.organizationName_default = Alice Ltd organizationalUnitName_default = emailAddress_default = [ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = client, email nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection [ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth [ crl_ext ] # Extension for CRLs (`man x509v3_config`). authorityKeyIdentifier=keyid:always [ ocsp ] # Extension for OCSP signing certificates (`man ocsp`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning ``` I suggest looking here for further information, I followed this guide and it works fine: https://jamielinux.com/docs/openssl-certificate-authority/index.html Am 10. Juli 2023 05:27:35 MESZ schrieb Jiangsu Kumquat <x...@mynetblog.com>: >I just tried accessing the "/secure/" directory in Edge and got the same >error message after importing my pkcs12 certificate. > >I forgot to include the Apache2 error logs... > >[Mon Jul 10 03:20:37.629596 2023] [ssl:error] [pid 2410] [client >192.168.0.5:64817] AH10158: cannot perform post-handshake authentication >[Mon Jul 10 03:20:37.629633 2023] [ssl:error] [pid 2410] SSL Library Error: >error:0A000117:SSL routines::extension not received > >On Sun, Jul 9, 2023 at 6:52 PM Jiangsu Kumquat <x...@mynetblog.com> wrote: > >> >> I'm stuck. I am trying to use certificate authentication to restrict >> access to a directory. I'm using my own certificate authority that I >> created using the commands below. >> >> I'm running Apache2 on Debian linux. >> >> *** CA KEYS >> >> create CA private key >> openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:4096 >> >> create CA self signed certificate >> openssl req -new -x509 -key ca.key -out ca.crt >> >> sign client CSR >> openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key >> -CAcreateserial -out client.crt >> >> >> *** CLIENT KEYS >> >> generate client private key >> openssl genpkey -algorithm RSA -out private_key.key -pkeyopt >> rsa_keygen_bits:4096 >> >> generate certificate signing request (CSR) >> openssl req -new -key private_key.key -out client.csr >> >> generate pkcs12 client certificate >> openssl pkcs12 -export -out certificate.p12 -inkey private_key.key -in >> client.crt >> >> >> >> *** Apache2 config >> >> (This is inside a virtual host block) >> >> # This is the CA.crt file I generated above >> SSLCACertificateFile /etc/apache2/ssl-client/ca.crt >> >> <Directory /var/www/html/secure> >> SSLRequireSSL >> # SSLVerifyClient require >> SSLVerifyClient optional_no_ca >> SSLVerifyDepth 2 >> SSLOptions +StdEnvVars +ExportCertData >> # SSLRequire %{SSL_CLIENT_S_DN_CN} == "" >> </Directory> >> >> I imported the pkcs12 client certificate I generated above into my Firefox >> browser. >> >> When I access: >> https://example.com/secure >> >> I get this error: >> >> Forbidden >> You don't have permission to access this resource.Reason: Cannot perform >> Post-Handshake Authentication. >> >> >> I'm not sure where to go from here. I don't know how to get past this >> error message. >> >> >> >> >>