Re: Client authentication and Chain certs

---1635339637-846930886-1067001451=:4683
Content-Type: TEXT/plain; charset=us-ascii


We also have: root CA -> sub CA -> client or server cert

we have put the root and sub CA in a directory pointed by:
SSLCACertificatePath

In this directory we have the attatched Makefile that we run to make a
hash of all CA and link the result of the hash to eatch CA.

This work fine whith apache 1.3.3x to the latest 2.4.

--
Martial Chartoire, Service Informatique | E-mail: m.chartoire@ipnl.in2p3.fr
Institut de Physique Nucleaire de Lyon | phone : +33 472 448 430
43, BD du 11 Novembre 1918 | fax : +33 472 448 004
F 69622 Villeurbanne Cedex |
---1635339637-846930886-1067001451=:4683
Content-Type: TEXT/plain; name=Makefile
Content-Disposition: attachment; filename=Makefile

##
## Makefile to keep the hash symlinks in SSLCACertificatePath up to date
## Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
##

SSL_PROGRAM=

update: clean
-@ssl_program="$(SSL_PROGRAM)"; \
if [ ".$$ssl_program" = . ]; then \
for dir in . `echo $$PATH | sed -e 's/:/ /g'`; do \
for program in openssl ssleay; do \
if [ -f "$$dir/$$program" ]; then \
if [ -x "$$dir/$$program" ]; then \
ssl_program="$$dir/$$program"; \
break; \
fi; \
fi; \
done; \
if [ ".$$ssl_program" != . ]; then \
break; \
fi; \
done; \
fi; \
if [ ".$$ssl_program" = . ]; then \
echo "Error: neither 'openssl' nor 'ssleay' program found" 1>&2; \
exit 1; \
fi; \
for file in *.crt; do \
if [ ".`grep SKIPME $$file`" != . ]; then \
echo dummy |\
awk '{ printf("%-15s ... Skipped\n", file); }' \
"file=$$file"; \
else \
n=0; \
while [ 1 ]; do \
hash="`$$ssl_program x509 -noout -hash <$$file`"; \
if [ -r "$$hash.$$n" ]; then \
n=`expr $$n + 1`; \
else \
echo dummy |\
awk '{ printf("%-15s ... %s\n", file, hash); }' \
"file=$$file" "hash=$$hash.$$n"; \
ln -s $$file $$hash.$$n; \
break; \
fi; \
done; \
fi; \
done

clean:
-@rm -f [0-9a-fA-F]*.[0-9]*


---1635339637-846930886-1067001451=:4683--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Client authentication and Chain certs

Chris
I had exactly the same issue.
The problem was that when I moved to this new type of cert [sub CA], I
didn't read all the installation information :-)
We used BT Trust Services which provided an 'intermediate certificate'
The intermediate cert is required to identified the Root CA.
I downloaded it from their site on our server.
I used the SSLCertificateChainFile directive first but still the server
wouldn't start
Error was:
[Wed Aug 20 19:41:22 2003] [error] Failed to configure CA certificate
chain!

I then used:
SSLCACertificateFile /www/ssl/oursite.co.uk/intermediate.crt
SSLCertificateFile /www/ssl/oursite.co.uk/oursite.crt
SSLCertificateKeyFile /www/ssl/oursite.co.uk/oursite.key
It works perfectly with Apache 2.0.4x

Hope this helps.

Regards
Bruno Georges
On Friday, Oct 24, 2003, at 15:04 Europe/London, Chris Covell wrote:

> Hello there, can any of you guys help me with this problem please ?
>
> I have been using mod_ssl and client authentication via apache for
> some time
> now without any problems. My Apache configuration has been the usual:
>
> SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
> SSLCACertificateFile /etc/httpd/conf/ssl.crt/cacert.crt
>
> No worries.
>
> Up until now the CA certificate has always been a self signed root CA.
> But
> today I need to use a web server cert signed by a sub CA and have my
> clients
> authenticated using certs from the sub CA.
>
> I did not think that this would be a problem, so I just copied the
> correct
> files in to the correct places (sub ca cert to SSLCACertificateFile and
> server cert to SSLCertificateFile). But I got a page not found error
> in IE
> and the Apache error:
>
> mod_ssl: Certificate Verification: Error (20): unable to get local
> issuer
> certificate
>
> OK, so I implemented the SSLCertificateChainFile
>
> with a bundle of the two certs in my chain, sub and root.
>
> I know openssl can get them because:
>
> openssl verify -CAfile chain.crt server.crt
>
> works a treat.
>
> I have now tried various combinations of chain file content (root ca,
> sub ca,
> etc) and even putting the chain certs in the server.crt file, but none
> of
> these helps.
>
> I am running an "up2date" RedHat 7.2 with out the box apache and mod
> ssl.
>
> Has anyone got an answer for me, please !!!!! I am sure this is
> possible, and
> none of the docs seem to sugest that I am going to have any issues.
>
> Chris...
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>
Bruno Georges
Xbridge Ltd
Tel: +44 (0) 207 378 9830
Mob: +44 (0) 787 988 4895

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Client authentication and Chain certs

I have this setup, this should work...

SSLCertificateFile
/opt/DKBapache/conf/ssl.crt/server.crt
SSLCertificateKeyFile
/opt/DKBapache/conf/ssl.key/server.key
SSLCACertificateFile
/opt/DKBapache/conf/ssl.crt/CA.crt
SSLVerifyClient require
SSLVerifyDepth 2

The CA.crt file contains the Root and intermediate
certs. These are also used at startup to make the
server cert chain (our client and server certs have
the same root, use SSLCertificateChainFile for the
server chain if not). Make sure you you have the
SSLVerifyDepth 2 line.

Regards
Matt
--- Chris Covell wrote:
> Hello there Martial,
>
> many thanks for you quick reply.
>
> > We also have: root CA -> sub CA -> client or
> server cert
> >
> > we have put the root and sub CA in a directory
> pointed by:
> > SSLCACertificatePath
> >
>
> In seperate files ?
>
> > In this directory we have the attatched Makefile
> that we run to make a
> > hash of all CA and link the result of the hash
> to eatch CA.
> >
> > This work fine whith apache 1.3.3x to the latest
> 2.4.
>
> Did you use "SSLCertificateChainFile" in the
> httpd.conf ?
>
> Chris...
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> User Support Mailing List
> modssl-users@modssl.org
> Automated List Manager
majordomo@modssl.org


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Client authentication and Chain certs

Hello there, can any of you guys help me with this problem please ?

I have been using mod_ssl and client authentication via apache for some t=
ime=20
now without any problems. My Apache configuration has been the usual:

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.ke y
SSLCACertificateFile /etc/httpd/conf/ssl.crt/cacert.crt

No worries.

Up until now the CA certificate has always been a self signed root CA. Bu=
t=20
today I need to use a web server cert signed by a sub CA and have my clie=
nts=20
authenticated using certs from the sub CA.

I did not think that this would be a problem, so I just copied the correc=
t=20
files in to the correct places (sub ca cert to SSLCACertificateFile and=20
server cert to SSLCertificateFile). But I got a page not found error in I=
E=20
and the Apache error:

mod_ssl: Certificate Verification: Error (20): unable to get local issuer=
=20
certificate

OK, so I implemented the SSLCertificateChainFile

with a bundle of the two certs in my chain, sub and root.

I know openssl can get them because:

openssl verify -CAfile chain.crt server.crt

works a treat.

I have now tried various combinations of chain file content (root ca, sub=
ca,=20
etc) and even putting the chain certs in the server.crt file, but none of=
=20
these helps.=20

I am running an "up2date" RedHat 7.2 with out the box apache and mod ssl.

Has anyone got an answer for me, please !!!!! I am sure this is possible,=
and=20
none of the docs seem to sugest that I am going to have any issues.

Chris...

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Client authentication and Chain certs

Hello there Martial,

many thanks for you quick reply.

> We also have: root CA -> sub CA -> client or server cert
>
> we have put the root and sub CA in a directory pointed by:
> SSLCACertificatePath
>

In seperate files ?

> In this directory we have the attatched Makefile that we run to make =
a
> hash of all CA and link the result of the hash to eatch CA.
>
> This work fine whith apache 1.3.3x to the latest 2.4.

Did you use "SSLCertificateChainFile" in the httpd.conf ?

Chris...
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Client authentication and Chain certs

Le 24 Oct, Chris Covell a ecrit :
> Hello there Martial,
>
> many thanks for you quick reply.
>
>> We also have: root CA -> sub CA -> client or server cert
>>
>> we have put the root and sub CA in a directory pointed by:
>> SSLCACertificatePath
>>
>
> In seperate files ?

Yes each Ca is in a separate file.
>
>> In this directory we have the attatched Makefile that we run to make a
>> hash of all CA and link the result of the hash to eatch CA.
>>
>> This work fine whith apache 1.3.3x to the latest 2.4.
>
> Did you use "SSLCertificateChainFile" in the httpd.conf ?

No, only SSLCACertificatePath /path/to/the/directory-contening-files
>
> Chris...
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

--
Martial Chartoire, Service Informatique | E-mail: m.chartoire@ipnl.in2p3.fr
Institut de Physique Nucleaire de Lyon | phone : +33 472 448 430
43, BD du 11 Novembre 1918 | fax : +33 472 448 004
F 69622 Villeurbanne Cedex |
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Client authentication and Chain certs

Many thanks to those of you who have helped me on this.

Unfortunately I still have the problem. I have also duplicated the proble=
m on=20
a completely different environment, so I think it is either me, or the=20
certificates I am using !

I have taken all of you advice and set up the web server like this:

SSLCertificateFile .../conf/ssl.crt/server.crt
SSLCertificateKeyFile .../conf/ssl.key/server.key
SSLCACertificateFile .../conf/ssl.crt/cacert.crt

SSLVerifyClient require
SSLVerifyDepth 2

where the cacert.crt file has both the sub and the root CA certificates i=
n it.

The error I am getting in the apache log is:

mod_ssl: Certificate Verification Error (24): invalid CA certificate

I have checked the certificate and chain via the openssl command:

openssl verify -CAfile cacert.crt server.crt

and this is fine.

Does anybody know where I can get a good description of the conditions th=
at=20
produce the above mod_ssl error ? I don't even know if this is a problem =
with=20
the certificates on the server, or the certificates passed by the client.

Yours hopefully,

Chris...
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Client authentication and Chain certs

Guys, just to ley you know that I have solved the problem.

The CA cert I was using was bad (wrong extensions set). That is why=20
Apache/mod_ssl was saying that it was an invalid CA cert. Using a differe=
nt=20
CA solved my problem and I can use client certs to log on fine now !

Many thanks for your help on this.

Chris...

On Friday 24 October 2003 18:00, Chris Covell wrote:
> Many thanks to those of you who have helped me on this.
>
> Unfortunately I still have the problem. I have also duplicated the prob=
lem
> on a completely different environment, so I think it is either me, or t=
he
> certificates I am using !
>
> I have taken all of you advice and set up the web server like this:
>
> SSLCertificateFile .../conf/ssl.crt/server.crt
> SSLCertificateKeyFile .../conf/ssl.key/server.key
> SSLCACertificateFile .../conf/ssl.crt/cacert.crt
>
> SSLVerifyClient require
> SSLVerifyDepth 2
>
> where the cacert.crt file has both the sub and the root CA certificates=
in
> it.
>
> The error I am getting in the apache log is:
>
> mod_ssl: Certificate Verification Error (24): invalid CA certificate
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org