So I have been following instructions on setting up Client Certificate Authentication in Apache2 w/ mod_ssl. This is solely for the purpose of testing an application against CAA, not for any sort of production use.
So far I've followed http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html
for advice on generating my CA, server, and client encryption information. I've put all three of them into /etc/ssl/ca/private
. I've setup the following additional directives in my default_ssl site file:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
...
SSLEngine on
SSLCertificateFile /etc/ssl/ca/private/server.crt
SSLCertificateKeyFile /etc/ssl/ca/private/server.key
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificatePath /etc/ssl/ca/private
SSLCACertificateFile /etc/ssl/ca/private/ca.crt
<Location />
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 2
</Location>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
...
</VirtualHost>
</IfModule>
I've install the p12 file into Chrome, but when I go to visit https://localhost, I get the following errors
Chrome: Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
Apache: Certificate Verification: Error (18): self signed certificate
If I had to guess, one of my directives is not setup right to load and verify the p12 w/ my self created CA. But I can't for the life of me figure out what it is. Would anyone have more experience here who could point me in the right direction?
Best Answer
Firstly, I would suggest to avoid to use both
SSLCACertificatePath
andSSLCACertificateFile
at the same time.SSLCACertificatePath
is used to point to a directory containing multiple files, one for each CA certificate you trust.SSLCACertificateFile
is used to point to a single file, being the concatenation of all the CA certificates you trust. It doesn't really make sense to pointSSLCACertificatePath
to a directory that also holds private keys (although I'm not sure it would cause problems anyway).What matters is that the client certificate you're using is issued by one of the CA certificates (pointed to either by whichever of
SSLCACertificatePath
orSSLCACertificateFile
you'll be using): the issuer DN of your client certificate must be the subject DN of one of the CA certificates you've configured this way in Apache Httpd (in addition, it must really be issued by that CA, so your client certificate's signature must be verifiable by the CA certificate's public key, but I'm assuming you've created your CA and issued certificates properly: you may want to check this, just in case).You can check the content of a certificate (CA or not) in PEM form (often
.pem
or.crt
) using:(This should display enough information about the certificate.)
EDIT:
Just in case there might be an issue with your certificates, you could try these test certificates:
http://jsslutils.googlecode.com/svn/tags/jsslutils-root-1.0.7/certificates/src/main/resources/org/jsslutils/certificates/local/
(All the passwords are
testtest
.)You can import
testclient.p12
into your browser.cacert.pem
is the CA certificate in PEM format, andlocalhost-cert.pem
is a server certificate forlocalhost
(so it's intended for testing from the machine itself).localhost-key.pem
is the private key for the server certificate. You can unprotect it using:You might need to trust
cacert.pem
temporarily in your browser, but remove it after the tests (because obviouslytesttest
is not much of a secret, so anyone could use this CA).