Topic: User Certificate Authentication

[NivekLR]

Hello to all,

I am stuck on the configuration of an authentication of users by certificate.

Host: Windows 10 x64
Application: WAMPServer 3.1.3 x64
Apache: 2.4.33
PHP: 7.2.5
MySQL: 5.7.22
OpenSSL: 1.0.1h

My HTTPS access have been configured to use Let's Encrypt certificates

I have configured my slef-signed Root CA and Intermediate CA with OpenSSL.

I have emitted some server and client certificates that are OK (e.g. MySQL "Require SSL" option)

Then I have configured Apache to use my self-signed certificates for user authentication with SSLCADNRequestPath and SSLCADNRequestFile options.

If the SSLVerifyClient is set to optional_no_ca all access is working but if I set this to optional or require I have the following error:
Peer does not recognize and trust the CA that issued your certificate. Error code: SSL_ERROR_UNKNOWN_CA_ALERT

On Apache's log I have the following errors:
- AH02039: Certificate Verification: Error (20): unable to get local issuer certificate
- AH02261: Re-negotiation handshake failed
- SSL Library Error: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

When I test the openssl command openssl s_client -connect url:443 the certificate displayed is the Let's Encrypt one.

Does a configuration permits to force to use my self-signed for user authentication ?

My Root and Intermediate are installed on Windows Certs Store and Firefox Certificates.

Kind regards,

NivekLR

[mraddi]

Hello,

maybe the following lines help you?

SSLCACertificateFile conf/ssl.crt/radde-ca-client-chain.crt
SSLVerifyClient require
SSLVerifyDepth 2

I have created my own CA with an intermediate CA for signing the certificates used by the clients.
So I have chained the root-CA's cert and the intermediate-CA's cert into one file and configured this as "SSLCACertificateFile" within apache.

So if you have only a self-signed/self-created CA that is signing the client's certificates then "SSLVerifyDepth 1" should be sufficient, too.

Best regards
Matthias

[Jan-E]

Why are you using self-signed certificates in the chain with Let's Encrypt? Let's Encrypt has its own signed certificates: https://letsencrypt.org/certificates/

[mraddi]

@Jan-E:
I believe he is using the Let's-encrypt-certificate on the webserver for encryption.
And the self-signed-certificate is for user-authentication.
Might not be a good idea to do it this way but should be possible.

[NivekLR]

That's correct. I am using LE for web access because it's a public authority (no installation required) and my self-signed ones for client authentication to get the authority on my client auth certificates.

[mraddi]

@NivekLR:
have you created your own self-signed CA for signing client-certs or do you have created a bunch of self-signed certificates?

[NivekLR]

I have created a Root CA and an Intermediate, then I have emitted the users' certificates.

PS: I have tested with my own certificate for web access and I have no error.
So I really think that when the web access and users certificates are not signed by the same root ca the verification not working...

Kind regards,

NivekLR

[timo]

[mraddi]

@NivekLR :
so you have (for the client-auth) the same construction as I have
But depending on the Browser (found out using tcpdump/Wireshark ) the intermediate-certificate (that the browser has!) is not submitted to the webserver. So if the webserver only knows about your root-CA and if you are using "SSLVerifyDepth 2" then your webserver does not know the connection between the client-cert and the root-CA-cert .
That is the reason why I chained both the root-CA-cert and the intermediate-cert and used this as "SSLCACertificateFile".

[timo]

I don't have any intermediate certificate.
The browser has client certificate (+ key of course, all included in .p12 file), and server has CA-certificate.
For that reason, SSLVerifyDepth 1 (default value) is sufficient in my setup.

[mraddi]

@timo
thank you for verification/proofing that encryption-cert and authentication-cert does not need to have the same CA. Good to hear that my guess was correct
Any you are absolutely right - if you don't use intermediate-CAs the "SSLVerifyDepth 1" is working great and absolutely correct.
But as soon as you start using intermediate CAs (as NivekLR and I did) and use "SSLVerifyDepth 2" it is better to store the intermediate CA's certificates within apache's config to avoid the problem of the "missing" intermediate CA-cert as described.

[NivekLR]

Thank you very much to all !

I have just understood my error...
In the configuration of apache I set SSLCACertificateFile to the Let's Encrypt's one while it was not necessary because it's public.
So I have set this option to my self-signed chain certificate and it works !

Kind regards,

NivekLR