Ok, here's the scenario. A company called "Corp" issues SSL certificates to all their employees for accessing Corp's web resources. Corp also provides a certificate for their Certificate Authority so that their employees can install this as a trusted CA.
I am building a tool that is outside of Corp's network, but I would like to use the SSL certificates that all of the employees have installed to identify them when they use this tool (since only Corp employees should be able to use this tool). This is running on an Apache 2.2 install on Amazon's linux distro. Here is what I have tried so far:
1) I created and self-signed a SSL certificate for the server to use to serve up HTTPS ("privatekey.pem" and "server.crt")
2) I copied Corp's CA certificate to the server (corp-ca.crt)
3) I used the following VirtualHost configuration for Apache:
<VirtualHost *:443>
ServerName toolname.thirdparty.com
DocumentRoot /var/www/html
ServerAdmin admin@myemail.com
ErrorLog logs/toolname-error_log
CustomLog logs/toolname-access_log common
<Directory "/var/www/html">
AllowOverride all
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/privatekey.pem
SSLCACertificateFile /etc/ssl/corp-ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StdEnvVars
</VirtualHost>
When I try to access one of Corp's websites, I can select my client certificate from them and it works, so I know the client certificate is installed properly. When I do this with SSLVerifyClient optional, the page loads fine over HTTPS so I know my server's SSL setup is good. With SSLVerifyClient required, though, I get an ERR_SSL_PROTOCOL_ERROR saying:
"Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have."
So this brings up the question I have to ask: is what I'm trying to do even possible? Can I use a client certificate issues by someone else to verify their identity on my own site? If that's actually possible, how would I go about doing it?
Best Answer
Corp obviously holds a CA root cert maybe along with an intermediate cert. So in this scenario, you can not use a self-signed cert with Corp's CA chain. Your certificate has to be "signed" by Corp's Root or Intermediate cert, with openssl ca command.
Thus you have to send a CSR to Corp's admin to give you a signed/valid cert back to use with your Apache.
Edit: For more information you can use openssl s_client command to see your SSL setup. Eg:
openssl s_client -connect myextapp.com:443You will see an output of certificates' chain, that you have used to configure apache.