I have an apache web server, ssl on that has a server certificate signed by a trusted official CA.
Can I configure apache ssl to accept clients with valid certificates signed by CAs other than the CA that signed the server certificate ?
I'm getting an ssl_error_unknown_ca_alert even though I have configured other CAs in apache and the server started with no errors.
I have created a file containing the CA certificate of the CA that signed the server certificate and the other CAs certificates of the CAs I want to trust. Then I pointed the SSLCertificateChainFile directive to this file.
I'm using Apache 2.2.22
Edit:
I'm using
SSLCertificateFile pointing to server certificate
SSLCertificateKeyFile poiting to server key
SSLCertificateChainFile pointing to the certificate chain that signed the server certificate
SSLCACertificateFile pointing to a file with all the certificate chains I want to be accepted
SSLVerifyClient require
SSLVerifyDepth 1
Apache recognizes them all in the log when I restart server and there's no errors. Yet, I still got a ssl_error_certificate_unknown_alert error.
I also verified that the client certificate chain is present in the SSLCACertificateFile by text comparing in Meld.
Best Answer
Found out what's the problem. The certificate is signed by a chain of 3 CAs and I set SSLVerifyDepth to 1. Set it to 10 and it worked.