[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-ssl
Subject:    [apache-ssl] Please help for Client Certificates
From:       glynns () us ! ibm ! com
Date:       1999-11-28 1:53:26
[Download RAW message or body]


After much work I have got my apache-ssl httpd server up and running.
It works, however what I want to do is thus:

Authenticate a Client so that a Client requires a certificate that is
issued by the server admin,
This is purely intranet, Im not looking to use Verisign or any commercial
CA's.

In httpd.conf I have
SSLVerifyClient 2
SSLVerifyDepth 1

I have setup the server to be a CA and the server keys were signed by the
CA and the appropriate directives are in the config file to use the SSLCA
files.

The problem:
I created a client certificate with
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile
demoCA/cacert.pem -name "CERT" -out client.p12

This creates a pkcs12 certificate that I am able to import into Netscape.
(netscape 4.7)

When I try to connect to the server, netscape correctly tells me a
certificate is required, and offers me the choice of using my "CERT"
certificate, which I submit, then fail, Netscape giving "An I/O error
occured during security authorization"

The log file states: error: SSL Routines: SSL3_GET_CLIENT_CERTIFICATE:no
certificates returned.

Using: apache 1.3.9 + ssl 1.37
openssl-0.9.4
Any one have any ideas what Im doing wrong ?

Please help, Ive been trying and searching on this for a couple of days,
and right now I cant figure out whether I can just create a request and
sign it by my own CA, then import it into the browser as suggested by the
ssleay howto or whether I need to create a cgi have the client generate a
public/private key pair, submit that via the cgi then generate a
certificate that way. (I tried both).

Thanks in advance.
Glynn Stanton


Finally,
Never wanting to take and not give back,
For future "archive searchers", Solaris 2.5 x86.
My personal experience to getting this working:
You'll need the developers installation, as a bunch of includes and libs
will be missing.
the GNU as is hard to find unless you happen to know its in the "binutils"
package.
Also need the gnu patch utility

[prev in list] [next in list] [prev in thread] [next in thread]