logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Help With SSL Client Authentication Using Smart Cards
Author
buddachile



Joined: 01 Dec 2014
Posts: 1
Location: USA, Los Angeles

PostPosted: Mon 01 Dec '14 22:41    Post subject: Help With SSL Client Authentication Using Smart Cards Reply with quote

I have configured Apache to require a client certificate to access
resources via SSL on port 443 using:

Code:
<VirtualHost _default_:443>

  [other stuff]

    SSLEngine on

    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

    SSLCertificateFile /PATH_TO_CERTS/server.crt
    SSLCertificateKeyFile /PATH_TO_PRIVATE/server.key
    SSLCACertificateFile /PATH_TO_CERTS/ca.cer

    SSLVerifyClient require
    SSLVerifyDepth  10
    SSLOptions +StdEnvVars +ExportCertData

  [other stuff]

</VirtualHost>


When I establish a self signed CA and use it to issue a client cert
to a client I have no problems, SSL client authentication is achieved.

What I really want to do, however, is require client certs that are
issued by a third party trusted CA which issues said certs in the
form of smart cards. So, what I did is change SSLCACertificateFile
to /PATH_TO_CERTS/ca-bundle.crt, which contains a bundle of CA certs
including intermediate smart card issuing CA and its root CA. The
subject and issuer values of these CA's are:

Code:
  Root CA:
    subject= /C=US/O=U.S. Government/OU=EXAMPLE DEPARTMENT/OU=Certification Authorities/OU=EXAMPLE DEPARTMENT Root CA
    issuer= /C=US/O=U.S. Government/OU=EXAMPLE DEPARTMENT/OU=Certification Authorities/OU=EXAMPLE DEPARTMENT Root CA

  Intermediate CA issuing cert:
    subject= /C=US/O=U.S. Government/OU=EXAMPLE AGENCY/OU=Certification Authorities/OU=EXAMPLE AGENCY Operational CA
    issuer= /C=US/O=U.S. Government/OU=EXAMPLE DEPARTMENT/OU=Certification Authorities/OU=EXAMPLE DEPARTMENT Root CA


I expect Apache to accept a valid smart card cert from the client,
however instead I get the following error: "Certificate Verification:
Error (20): unable to get local issuer certificate".

I'm not sure what to make of this. Is it likely I am I doing something
wrong or does "SSLVerifyClient require" only work with client certs
issued by a locally established CA?

Any insight into this matter would be greatly appreciated.

I'm running Apache 2.2 on Redhat EL6.

I saw this related thread: https://www.apachelounge.com/viewtopic.php?t=6236
Back to top


Reply to topic   Topic: Help With SSL Client Authentication Using Smart Cards View previous topic :: View next topic
Post new topic   Forum Index -> Apache