I've generated a certificate using openssl and place it on the client's machine, but when I try to connect to my server using that certificate, I error mentioned in the subject line back from my server.
Here's what I've done.
1) I do a test connect using openssl to see what the acceptable client certificate CA names are for my server, I issue this command from my client machine to my server:
openssl s_client -connect myupload.mysite.net:443/cgi-bin/posupload.cgi -prexit
and part of what I get back is as follow:
Acceptable client certificate CA names
/C=US/ST=Colorado/L=England/O=Inteliware/OU=Denver Office/CN=Tim Drake/emailAddress=tdrake@mysite.com
/C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=myupload.mysite.net/emailAddress=tdrake@mysite.com
2) Here is what is in the apache configuration file on the server regarding SSL client authentication:
SSLCACertificatePath /etc/apache2/certs
SSLVerifyClient require
SSLVerifyDepth 10
3) I generated a self-signed client certificate called "client.pem" using mypos.pem and mypos.key, so when I run this command:
openssl x509 -in client.pem -noout -issuer -subject -serial
here is what is returned:
issuer= /C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=myupload.mysite.net/emailAddress=tdrake@mysite.com
subject= /C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=mlR::mlR/emailAddress=admin@inteliware.com
serial=0E
(please note that mypos.pem is in /etc/apache2/certs/ and mypos.key is saved in /etc/apache2/certs/private/)
4) I put client.pem on the client machine, and on the client machine, I run the following command:
openssl s_client -connect myupload.mysite.net:443/cgi-bin/posupload.cgi -status -cert client.pem
and I get this error:
CONNECTED(00000003)
OCSP response: no response sent
depth=1 /C=US/ST=Colorado/L=England/O=Inteliware/OU=Denver Office/CN=Tim Drake/emailAddress=tdrake@mysite.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
574:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:1102:SSL alert number 48
574:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s23_lib.c:182:
I'm really stumped as to what I've done wrong. I've searched quite a bit on this error and what I found is that people are saying the issuing CA of the client's certificate is not trusted by the server, yet when I look at the issuer of my client certificate, it matches to one of the accepted CA returned by my server.
Can anyone help, please?
Thank you in advance.
Best Answer
ok, I finally found out what the issue was and would like to share it just in case anyone gets stuck with that error message too.
Apache's config file has the following lines when it talks about the CA:
This means that every certificate file in this directory pointed to by SSLCACertificatePath must use a symbolic link. AND, most importantly, the name of each symbolic link must be the subject hash value of each certificate. You can find the hash value of the CA certificate by running this command:
So, if the hash value was 0434423b, in the directory pointed to by SSLCACertificatePath, you should create two symbolic links to point to the certificate in the directory:
This should solve the issue. Of course, if I had used the SSLCACertificateFile, I don't think I'd experienced so much problems.
I found the explanation of SSLCACertificatePath here:
openssl's verify command page
look under -CApath directory