SSL client authentication with multiple CA

SSL client authentication with multiple CA

am 25.08.2009 19:37:12 von Lampa

Hello,

on http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacerti ficatefile
is Context: server config, virtual host, but in examples are used in
Directory Context, so i assumed that is documentation typo.

Using web server with HTTPS (crt signed by thawte), but my problem is
that i tried to use client auth with certs, now i have 2 (in future
will grow) directories which should be protected. I have one CA (self
signed eg. root CA - conf/ssl/v1.crt) for version 1, second version
uses own CA (intermediate - conf/ssl/ca/v2.crt) which is issued by
other root CA (conf/ssl/ca/v2root.crt) (different from version 1),
file conf/ssl/ca.crt contains chained version 1 and 2 (eg 2 certs).
This setting is working weird - v2 is using v1 certificates, which
must not. I need only access to v1/ with v1.crt signed certs and v2/
with v2.crt signed certs. I tried used example from
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#certauth enticate
(second example - with clients are all part of a common hierarchy,
which is encoded into the DN) but i have 2 directories and 2 CA, if i
enable commented SSLCACertificateFile conf/ssl/ca/v2.crt for v2, v1
stop working and get Re-negotiation handshake failed: Not accepted by
client!? in error.log.

Any advices and help would be most welcome.

Thank you.

config snippet (options are in server context):

.....
SSLCertificateChainFile conf/ssl/ca.crt


SSLVerifyClient require
SSLVerifyDepth 1

SSLCACertificateFile conf/ssl/v1.crt



SSLVerifyClient require
SSLVerifyDepth 2
SSLOptions +ExportCertData +StrictRequire
# SSLCACertificateFile conf/ssl/ca/v2.crt
SSLCACertificatePath conf/ssl/ca
SSLRequireSSL

....

--
Lampa

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org