Client Verification with sub ca"s
Client Verification with sub ca"s
am 12.03.2009 15:03:07 von leanmeandonothingmachine
I have a self signed ca, with multiple sub-ca's.
root
-sub-ca1
-sub-ca2
-server
I sign client certificates with either -sub-ca1 or -sub-ca2, and use server
to sign certificates for the actual website. So in my apache config, i have
this:
SSLEngine on
SSLOptions +stdEnvVars
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
SSLCertificateFile /data/keys/test.crt
SSLCertificateKeyFile /data/keys/test.key
SSLCertificateChainFile /data/keys/chain.pem
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /data/keys/ca.pem
test.crt is signed by server.
chain.pem contains server and root in that order
ca.pem contains sub-ca2 and root in that order
Everything seems to work fine except for the fact that the website also
excepts client certificates signed by sub-ca1. But I'm trying to restrict
this site to only sub-ca2 clients.
I tried:
1) removing the root from ca.pem, that gives me a "Certificate Verification:
Error (2): unable to get issuer certificate" error.
2) removing the root from ca.pem adding sub-ca2 to chain.pem, same error.
3) changing SSLVerifyDepth to 1, that give me a "Certificate Verification:
Certificate Chain too long (chain has 2 certificates, but maximum allowed
are only 1)" error.
Anyone know how to get apache to only allow clients from one sub-ca but not
others signed by the same root?
--
View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp 22469681p22469681.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: Client Verification with sub ca"s
am 12.03.2009 15:21:36 von Matt Stevenson
Hi,
Same setup as works with both subCAs. Use the SSLRequire directive. Restrict on the client certs issuer field (SSL_CLIENT_I_DN...).
Regards
Matt
----- Original Message ----
From: leanmeandonothingmachine
To: modssl-users@modssl.org
Sent: Thursday, March 12, 2009 2:03:07 PM
Subject: Client Verification with sub ca's
I have a self signed ca, with multiple sub-ca's.
root
-sub-ca1
-sub-ca2
-server
I sign client certificates with either -sub-ca1 or -sub-ca2, and use server
to sign certificates for the actual website. So in my apache config, i have
this:
SSLEngine on
SSLOptions +stdEnvVars
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
SSLCertificateFile /data/keys/test.crt
SSLCertificateKeyFile /data/keys/test.key
SSLCertificateChainFile /data/keys/chain.pem
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /data/keys/ca.pem
test.crt is signed by server.
chain.pem contains server and root in that order
ca.pem contains sub-ca2 and root in that order
Everything seems to work fine except for the fact that the website also
excepts client certificates signed by sub-ca1. But I'm trying to restrict
this site to only sub-ca2 clients.
I tried:
1) removing the root from ca.pem, that gives me a "Certificate Verification:
Error (2): unable to get issuer certificate" error.
2) removing the root from ca.pem adding sub-ca2 to chain.pem, same error.
3) changing SSLVerifyDepth to 1, that give me a "Certificate Verification:
Certificate Chain too long (chain has 2 certificates, but maximum allowed
are only 1)" error.
Anyone know how to get apache to only allow clients from one sub-ca but not
others signed by the same root?
--
View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp 22469681p22469681.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: Client Verification with sub ca"s
am 12.03.2009 16:25:00 von leanmeandonothingmachine
thanks that works, a little tricky if you want to use SSLVerifyClient
optional, as it 403s everything in that case instead just not filling in the
client variables. But I can always do that programmaticaly if I need it.
--
View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp 22469681p22478223.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: Client Verification with sub ca"s
am 12.03.2009 16:25:58 von leanmeandonothingmachine
thanks that works, a little tricky if you want to use SSLVerifyClient
optional, as it 403s everything in that case instead of just not filling in
the client variables. But I can always do that programmaticaly if I need it.
--
View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp 22469681p22478226.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org