- #MAKE A CERT CHAIN CRT WITH SIMPLEAUTHORITY VERIFICATION#
- #MAKE A CERT CHAIN CRT WITH SIMPLEAUTHORITY PC#
- #MAKE A CERT CHAIN CRT WITH SIMPLEAUTHORITY WINDOWS#
p12 file), and server has CA-certificate.įor that reason, SSLVerifyDepth 1 (default value) is sufficient in my setup. The browser has client certificate (+ key of course, all included in. I don't have any intermediate certificate. Posted: Wed 23 May '18 19:39 Post subject: That is the reason why I chained both the root-CA-cert and the intermediate-cert and used this as "SSLCACertificateFile". So if the webserver only knows about your root-CA and if you are using "SSLVerifyDepth 2" then your webserver does not know the connection between the client-cert and the root-CA-cert. So you have (for the client-auth) the same construction as I haveīut depending on the Browser (found out using tcpdump/Wireshark ) the intermediate-certificate (that the browser has!) is not submitted to the webserver.
#MAKE A CERT CHAIN CRT WITH SIMPLEAUTHORITY PC#
In Apache server (in my setup, version 2.4.33), I have for the web server's certificationġ) SSLCertificateFile pointing to chain-file (.pem) created by letsencryptĢ) SSLCertificateKeyFile pointing to key-file (.pem) created by letsencryptģ) SSLCACertificateFile pointing to CA-file (.crt) created by SimpleAuthorityĤ) SSLCARevocationFile pointing to revocation file (.pem) created by SimpleAuthorityįurthermore, I use SSLVerif圜lient optional so I can also use username/password in case I access my web server from a PC that does not have the client vertificate installed. This you have to import to your client computer, that is for each client computer you wish to access the web server using client certificate. p12 file (includes user certificate + CA if you opt for that). Use Simpleauthority to create CA and user certificates. I have a LetsEncrypt certificate for my web server,Īnd a self-signed certificate for client certification.Ĭlient certificate is created with SimpleAuthority ( ). Posted: Wed 23 May '18 16:06 Post subject:
#MAKE A CERT CHAIN CRT WITH SIMPLEAUTHORITY VERIFICATION#
So I really think that when the web access and users certificates are not signed by the same root ca the verification not working. PS: I have tested with my own certificate for web access and I have no error. I have created a Root CA and an Intermediate, then I have emitted the users' certificates. Posted: Wed 23 May '18 12:25 Post subject: Posted: Tue 22 May '18 16:28 Post you created your own self-signed CA for signing client-certs or do you have created a bunch of self-signed certificates? I am using LE for web access because it's a public authority (no installation required) and my self-signed ones for client authentication to get the authority on my client auth certificates. Posted: Mon 21 May '18 17:26 Post subject: Might not be a good idea to do it this way but should be possible. Posted: Mon 21 May '18 11:34 Post believe he is using the Let's-encrypt-certificate on the webserver for encryption.Īnd the self-signed-certificate is for user-authentication. Why are you using self-signed certificates in the chain with Let's Encrypt? Let's Encrypt has its own signed certificates: Posted: Mon 21 May '18 10:40 Post subject: Re: User Certificate Authentication
So if you have only a self-signed/self-created CA that is signing the client's certificates then "SSLVerifyDepth 1" should be sufficient, too. So I have chained the root-CA's cert and the intermediate-CA's cert into one file and configured this as "SSLCACertificateFile" within apache. I have created my own CA with an intermediate CA for signing the certificates used by the clients. SSLCACertificateFile conf/ssl.crt/radde-ca-client-chain.crt Posted: Sun 20 May '18 20:12 Post subject: Location: Schömberg, Baden-Württemberg, Germany
#MAKE A CERT CHAIN CRT WITH SIMPLEAUTHORITY WINDOWS#
My Root and Intermediate are installed on Windows Certs Store and Firefox Certificates.
When I test the openssl command openssl s_client -connect url:443 the certificate displayed is the Let's Encrypt one.ĭoes a configuration permits to force to use my self-signed for user authentication ? SSL Library Error: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed AH02261: Re-negotiation handshake failed AH02039: Certificate Verification: Error (20): unable to get local issuer certificate On Apache's log I have the following errors:
Peer does not recognize and trust the CA that issued your certificate. If the SSLVerif圜lient is set to optional_no_ca all access is working but if I set this to optional or require I have the following error: Then I have configured Apache to use my self-signed certificates for user authentication with SSLCADNRequestPath and SSLCADNRequestFile options. I have emitted some server and client certificates that are OK (e.g. I have configured my slef-signed Root CA and Intermediate CA with OpenSSL. My HTTPS access have been configured to use Let's Encrypt certificates I am stuck on the configuration of an authentication of users by certificate. Posted: Sun 20 May '18 10:09 Post subject: User Certificate Authentication
0 kommentar(er)
