[OT] Apache SSL certificate authentication
Fraser Tweedale
frase at frase.id.au
Sun Sep 28 04:01:58 UTC 2008
I've been trying to set up Apache to do certificate authentication
and although I've had success using a self-signed CA (which
naturally requires that the CA certificate be installed in the
browser), I want to do the same, only have the certificate(s) signed
by a real(*) CA, and am having some difficulty.
(*) Specifically, CACert, which still isn't a OOTB trusted CA in most
software.
The way I expect this to work is:
- Create my CA key and a CSR, and have CACert sign it.
- Create a server key and CSR, and sign it with my CA
- Create a client certificate, signed by my CA.
So I end up with a certificate chain that goes:
CACert -> my CA -> my server
But... this is not working. Firefox won't verify the server (the
CACert root certificate .is. installed), and having bypassed this
check, Apache won't verify the client either.
The Apache configuration is as follows:
<VirtualHost *:443>
ServerName foo.bar
DocumentRoot /path/to/htdocs
SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /sslpath/server.crt
SSLCertificateKeyFile /sslpath/server.key
SSLCACertificateFile /sslpath/my-ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
</VirtualHost>
Any suggestions are appreciated,
frase
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080928/72c920f6/attachment.pgp
More information about the freebsd-questions
mailing list