Clientauthentication with Certificates and Apache

Hello guys,

I have following pki-environment:

RootCA
| |
Issuing SubCA-1 Issuing SubCA-2
| |
UserCert-A UserCert-B

I want to make clientauthentication with certificates only for user with certs from the Issuing SubCA-2.

So I made the follwing configuration:

SSLVerifyClient require
SSLCACertificateFile CACHAIN.PEM
SSLVerifyDepth 2

CACHAIN.PEM includes the cert from RootCA and from the Issuing SubCA-2.

Now comes the problem. Not only users with certs from SubCA-2 can connect, also users with certs from the SubCA-1 (f.i. UserCert-A) can connect.

How can I avoid this???

I tried to use only the certificate from SubCA-2 in the directive (SSLCACertificateFile SubCA-2.pem), but with this config noone can connect, also not the clients with certs from SubCA-2.

I know the possibility to check for various ingredients of the client certficate (http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particul ar) but I don't want to use this.

I readed an old post (http://www.mail-archive.com/modssl-users@modssl.org/msg1033 5.html) in this mailinglist. This post said, that users with certs from SubCA-1 should not be connect.

Please help, I have no new ideas.

Best regards daniel



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Clientauthentication with Certificates and Apache

Fitzner Daniel wrote:

>Hello guys,
>
>I have following pki-environment:
>
> RootCA
> | |
> Issuing SubCA-1 Issuing SubCA-2
> | |
>UserCert-A UserCert-B
>
>I want to make clientauthentication with certificates only for user with certs from the Issuing SubCA-2.
>
>So I made the follwing configuration:
>
>SSLVerifyClient require
>SSLCACertificateFile CACHAIN.PEM
>SSLVerifyDepth 2
>
>CACHAIN.PEM includes the cert from RootCA and from the Issuing SubCA-2.
>
>Now comes the problem. Not only users with certs from SubCA-2 can connect, also users with certs from the SubCA-1 (f.i. UserCert-A) can connect.
>
>How can I avoid this???
>
>I tried to use only the certificate from SubCA-2 in the directive (SSLCACertificateFile SubCA-2.pem), but with this config noone can connect, also not the clients with certs from SubCA-2.
>
>I know the possibility to check for various ingredients of the client certficate (http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particul ar) but I don't want to use this.
>
>I readed an old post (http://www.mail-archive.com/modssl-users@modssl.org/msg1033 5.html) in this mailinglist. This post said, that users with certs from SubCA-1 should not be connect.
>
>Please help, I have no new ideas.
>
>Best regards daniel
>
>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>
>
Hi Daniel,
have a look at this topic of the moddsl howto, it will help you solve
your problem : http://www.modssl.org/docs/2.8/ssl_howto.html#ToC8
Good luck.

--
Charles-Edouard Ruault
Idtect SA
115 rue Reaumur - 75002, Paris, France
Tel: +33-1-55-34-76-65
Fax: +33-1-55-34-76-75
Web: http://www.idtect.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Clientauthentication with Certificates and Apache

Hi,

I thought that you must to put into your SSLCACertificateFile the RootCA =
and
Issuing SubCA-2 certificates (both in PEM) and modify your =
SSLVerifyDepth to
1.

It works in my servers.

bye

Juan Angel Martin Gomez
AC Camerfirma
Tel. +34 920252750 Fax +34 920252732
http://www.camerfirma.com


-----Mensaje original-----
De: owner-modssl-users@modssl.org [mailto:owner-modssl-users@modssl.org] =
En
nombre de Fitzner Daniel
Enviado el: jueves, 16 de diciembre de 2004 8:33
Para: 'modssl-users@modssl.org'
Asunto: Clientauthentication with Certificates and Apache

Hello guys,

I have following pki-environment:

RootCA
| |
Issuing SubCA-1 Issuing SubCA-2
| |
UserCert-A UserCert-B

I want to make clientauthentication with certificates only for user with
certs from the Issuing SubCA-2.

So I made the follwing configuration:

SSLVerifyClient require
SSLCACertificateFile CACHAIN.PEM
SSLVerifyDepth 2

CACHAIN.PEM includes the cert from RootCA and from the Issuing SubCA-2.

Now comes the problem. Not only users with certs from SubCA-2 can =
connect,
also users with certs from the SubCA-1 (f.i. UserCert-A) can connect.

How can I avoid this???=20

I tried to use only the certificate from SubCA-2 in the directive
(SSLCACertificateFile SubCA-2.pem), but with this config noone can
connect, also not the clients with certs from SubCA-2.

I know the possibility to check for various ingredients of the client
certficate =
(http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particul ar)
but I don't want to use this.=20

I readed an old post
(http://www.mail-archive.com/modssl-users@modssl.org/msg1033 5.html) in =
this
mailinglist. This post said, that users with certs from SubCA-1 should =
not
be connect.

Please help, I have no new ideas.

Best regards daniel



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org