Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: using client certificate (Digicert signed certificate) |
|
| Author |
|
apacheadmin
Joined: 12 Sep 2015
Posts: 2
|
 Posted: Sat 12 Sep '15 20:55 Post subject: using client certificate (Digicert signed certificate) |
 |
|
Hi, i have got a certificate signed by the digicert as
1) cert file (mycert.crt) this was signed and given by digicert after i gave them the mycert.csr file
2) key file (mycert.key)
3) i have combined the mycert.crt (provided by digicert) and the key (that i have) mycert.key into a pcks12 format mycert_pcks12.pfx file
i have following setting in httpd-ssl.conf
SSLCertificateFile "c:/Apache24/conf/mycert.crt"
SSLCertificateKeyFile "c:/Apache24/conf/mycert.key"
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile "c:/Apache24/conf/mycert.crt"
when i import the file (step 3) pfx in my browser and try to connect to mysite it gives ssl handshake error unknown ca
if i use my self signed certificate and key and the same file for both (SSLCertificateFile and SSLCACertificateFile ) for the above settings and combine my self signed ceritifcate and key into pcks12 (pfx) file and import it in browser it works fine.
My Question is, since i am new to this , why it does not work for Digicert signed cert?
Thanks |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3093
Location: Hilversum, NL, EU
|
| Posted: Sun 13 Sep '15 15:05 Post subject: |
|
|
Admin note:
Post moved to the correct forum.
What is in the Apache error.log ?
Wondering why you convert to pcks.
Look in the cert file for Apache, it should contain:
-----BEGIN CERTIFICATE-----
-
-
-
-
-
-
-----END CERTIFICATE-----
and the key file:
-----BEGIN RSA PRIVATE KEY-----
-
-
-
-
-----END RSA PRIVATE KEY----- |
|
| Back to top |
|
apacheadmin
Joined: 12 Sep 2015
Posts: 2
|
| Posted: Sun 13 Sep '15 19:41 Post subject: |
|
|
Thanks for your question, actually the request is not even hitting the apache server in this case as browser does not even ask for the client certificate to submit.
when i use my self signed certificate as explained in the question, browser prompts for the certificate.
My guess is you cannot use a Digicert or for that matter any publicly certificate authority's signed certificate for client authentication, i am now thinking that for client authentication you have to give them a self signed certificate with key and ask them to put that in the browser or os and on my end on server use that certificate (without) the private key to validate them as authorized client. (this is my guess and i may be very well wrong unless someone who is not a quack and knows how to do a client authentication using non self signed certificate)
Thanks again. |
|
| Back to top |
|
|
|
|
|
|
