Date: Sun, 28 Sep 2008 14:01:53 +1000 From: Fraser Tweedale <frase@frase.id.au> To: freebsd-questions@freebsd.org Subject: [OT] Apache SSL certificate authentication Message-ID: <20080928040152.GA7159@bacardi.frase.id.au>
next in thread | raw e-mail | index | archive | help
--tKW2IUtsqtDRztdT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
I've been trying to set up Apache to do certificate authentication
and although I've had success using a self-signed CA (which
naturally requires that the CA certificate be installed in the
browser), I want to do the same, only have the certificate(s) signed
by a real(*) CA, and am having some difficulty.
(*) Specifically, CACert, which still isn't a OOTB trusted CA in most
software.
The way I expect this to work is:
- Create my CA key and a CSR, and have CACert sign it.
- Create a server key and CSR, and sign it with my CA
- Create a client certificate, signed by my CA.
So I end up with a certificate chain that goes:
CACert -> my CA -> my server
But... this is not working. Firefox won't verify the server (the
CACert root certificate .is. installed), and having bypassed this
check, Apache won't verify the client either.
The Apache configuration is as follows:
<VirtualHost *:443>
ServerName foo.bar
DocumentRoot /path/to/htdocs
SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /sslpath/server.crt
SSLCertificateKeyFile /sslpath/server.key
SSLCACertificateFile /sslpath/my-ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
</VirtualHost>
Any suggestions are appreciated,
frase
--tKW2IUtsqtDRztdT
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
iEYEARECAAYFAkjfAbAACgkQPw/2FZbemTUGjwCfbX1X2ZzTYcrjF6WbNr5RKIxW
8jIAmQFiQXoXfrWPcPI7PI6zt8nI0ygR
=ys4/
-----END PGP SIGNATURE-----
--tKW2IUtsqtDRztdT--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080928040152.GA7159>