From owner-freebsd-questions@FreeBSD.ORG Sun Sep 28 04:01:58 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C8D71065688 for ; Sun, 28 Sep 2008 04:01:58 +0000 (UTC) (envelope-from Fraser@bacardi.frase.id.au) Received: from bacardi.frase.id.au (203-219-142-174.static.tpgi.com.au [203.219.142.174]) by mx1.freebsd.org (Postfix) with ESMTP id B895C8FC2A for ; Sun, 28 Sep 2008 04:01:57 +0000 (UTC) (envelope-from Fraser@bacardi.frase.id.au) Received: from bacardi.frase.id.au (localhost [127.0.0.1]) by bacardi.frase.id.au (8.14.2/8.14.2) with ESMTP id m8S41slo052851 for ; Sun, 28 Sep 2008 14:01:54 +1000 (EST) (envelope-from Fraser@bacardi.frase.id.au) Received: (from Fraser@localhost) by bacardi.frase.id.au (8.14.2/8.14.2/Submit) id m8S41rRx052849 for freebsd-questions@freebsd.org; Sun, 28 Sep 2008 14:01:53 +1000 (EST) (envelope-from Fraser) Date: Sun, 28 Sep 2008 14:01:53 +1000 From: Fraser Tweedale To: freebsd-questions@freebsd.org Message-ID: <20080928040152.GA7159@bacardi.frase.id.au> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Subject: [OT] Apache SSL certificate authentication X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Sep 2008 04:01:58 -0000 --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I've been trying to set up Apache to do certificate authentication and although I've had success using a self-signed CA (which naturally requires that the CA certificate be installed in the browser), I want to do the same, only have the certificate(s) signed by a real(*) CA, and am having some difficulty. (*) Specifically, CACert, which still isn't a OOTB trusted CA in most software. The way I expect this to work is: - Create my CA key and a CSR, and have CACert sign it. - Create a server key and CSR, and sign it with my CA - Create a client certificate, signed by my CA. So I end up with a certificate chain that goes: CACert -> my CA -> my server But... this is not working. Firefox won't verify the server (the CACert root certificate .is. installed), and having bypassed this check, Apache won't verify the client either. The Apache configuration is as follows: ServerName foo.bar DocumentRoot /path/to/htdocs SSLEngine on SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLCertificateFile /sslpath/server.crt SSLCertificateKeyFile /sslpath/server.key SSLCACertificateFile /sslpath/my-ca.crt SSLVerifyClient require SSLVerifyDepth 1 Any suggestions are appreciated, frase --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkjfAbAACgkQPw/2FZbemTUGjwCfbX1X2ZzTYcrjF6WbNr5RKIxW 8jIAmQFiQXoXfrWPcPI7PI6zt8nI0ygR =ys4/ -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT--