Apache Client Certificate Authentication errors: Certificate Verification: Error (18): self signed certificate

apache-2.2certificate-authoritymod-sslopensslssl-certificate

So I have been following instructions on setting up Client Certificate Authentication in Apache2 w/ mod_ssl. This is solely for the purpose of testing an application against CAA, not for any sort of production use.

So far I've followed http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html for advice on generating my CA, server, and client encryption information. I've put all three of them into /etc/ssl/ca/private. I've setup the following additional directives in my default_ssl site file:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
...
    SSLEngine on
    SSLCertificateFile    /etc/ssl/ca/private/server.crt
    SSLCertificateKeyFile /etc/ssl/ca/private/server.key
    SSLVerifyClient require
    SSLVerifyDepth 2

    SSLCACertificatePath /etc/ssl/ca/private
    SSLCACertificateFile /etc/ssl/ca/private/ca.crt
    <Location />
            SSLRequireSSL
            SSLVerifyClient require
            SSLVerifyDepth 2
    </Location>
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
            SSLOptions +StdEnvVars
    </Directory>
...
</VirtualHost>
</IfModule>

I've install the p12 file into Chrome, but when I go to visit https://localhost, I get the following errors

Chrome: Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

Apache: Certificate Verification: Error (18): self signed certificate

If I had to guess, one of my directives is not setup right to load and verify the p12 w/ my self created CA. But I can't for the life of me figure out what it is. Would anyone have more experience here who could point me in the right direction?

Best Answer

Firstly, I would suggest to avoid to use both SSLCACertificatePath and SSLCACertificateFile at the same time. SSLCACertificatePath is used to point to a directory containing multiple files, one for each CA certificate you trust. SSLCACertificateFile is used to point to a single file, being the concatenation of all the CA certificates you trust. It doesn't really make sense to point SSLCACertificatePath to a directory that also holds private keys (although I'm not sure it would cause problems anyway).

What matters is that the client certificate you're using is issued by one of the CA certificates (pointed to either by whichever of SSLCACertificatePath or SSLCACertificateFile you'll be using): the issuer DN of your client certificate must be the subject DN of one of the CA certificates you've configured this way in Apache Httpd (in addition, it must really be issued by that CA, so your client certificate's signature must be verifiable by the CA certificate's public key, but I'm assuming you've created your CA and issued certificates properly: you may want to check this, just in case).

You can check the content of a certificate (CA or not) in PEM form (often .pem or .crt) using:

openssl x509 -text -noout -in filename.pem

(This should display enough information about the certificate.)

EDIT:

Just in case there might be an issue with your certificates, you could try these test certificates:

http://jsslutils.googlecode.com/svn/tags/jsslutils-root-1.0.7/certificates/src/main/resources/org/jsslutils/certificates/local/

(All the passwords are testtest.)

You can import testclient.p12 into your browser. cacert.pem is the CA certificate in PEM format, and localhost-cert.pem is a server certificate for localhost (so it's intended for testing from the machine itself). localhost-key.pem is the private key for the server certificate. You can unprotect it using:

openssl rsa -in localhost-key.pem -out localhost-key-unprotected.pem

You might need to trust cacert.pem temporarily in your browser, but remove it after the tests (because obviously testtest is not much of a secret, so anyone could use this CA).

Related Topic