Differentiate web access based on sub CA"s

Differentiate web access based on sub CA"s

am 11.01.2008 23:18:21 von Carol Overes

Hi,

I have the following CA structure:

Root CA (cacert.pem)
|
|_ sub CA 'A' (subcaacert.pem)
|
|_ sub CA 'B' (subcabcert.pem)

The idea is give web access for certificates which are issued by sub CA
'A'. Certificates issued by sub CA must be rejected. I don't want to use
things like SSLRequire directive to match certain fields in the
certificate, but I want to use the structure of the CA. I use Apache 2.2.4.

Here is my first Apache configuration:

SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile //cachain.pem
SSLCertificateFile //cert.pem
SSLCertificateKeyFile //key.pem

cachain.pem contains the Root CA and the sub CA 'A'. The cipher-blocks
are added in the file in the described order. And I have also tried when
the two certificates were merged like:

openssl x509 -outform PEM -in subcaacert.pem -in subcabcert.pem -out
cachain.pem

When I connect with a certificate which is issued by sub CA 'A', I get
the following error:

certificate chain too long (chain has 2 certificates, but maximum
allowed are only 1)

It seems that the certificate chain length is greater than the supplied
maximum depth. So, I changed to the following configuration:

SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile //cachain.pem
SSLCertificateFile //cert.pem
SSLCertificateKeyFile //key.pem

I'm able to authenticate with my certificate, issued by sub CA 'A'. But
I can also authenticate with a certificate which is issued by sub CA 'B'.

Instead of using SSLCACertificateFile I tried to use SSLCACertificatePath.

SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificatePath //
SSLCertificateFile //cert.pem
SSLCertificateKeyFile //key.pem

The directory where SSLCACertificatePath refers to, contains cacert.pem
and subcaacert.pem. Also, hash symlinks are created in that directory
with the Makefile
(http://search.cpan.org/src/MADWOLF/OpenCA-PKCS7-0.9.13/test /chain/Makefile).

When I connect with a certificate issued by sub CA 'A' I get the
following error:

Certificate Verification: Error (20): unable to get local issuer certificate

I'm kinda stuck at the moment. I have tried to google for some
solutions, but I haven't found anything that is useful.

Can anyone advice me on how to solve this issue?

Thanks in advance for any help.

Kind regards,

Carol

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org