Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Help With SSL Client Authentication Using Smart Cards |
|
| Author |
|
buddachile
Joined: 01 Dec 2014
Posts: 1
Location: USA, Los Angeles
|
 Posted: Mon 01 Dec '14 22:41 Post subject: Help With SSL Client Authentication Using Smart Cards |
 |
|
I have configured Apache to require a client certificate to access
resources via SSL on port 443 using:
| Code: | <VirtualHost _default_:443>
[other stuff]
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /PATH_TO_CERTS/server.crt
SSLCertificateKeyFile /PATH_TO_PRIVATE/server.key
SSLCACertificateFile /PATH_TO_CERTS/ca.cer
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData
[other stuff]
</VirtualHost> |
When I establish a self signed CA and use it to issue a client cert
to a client I have no problems, SSL client authentication is achieved.
What I really want to do, however, is require client certs that are
issued by a third party trusted CA which issues said certs in the
form of smart cards. So, what I did is change SSLCACertificateFile
to /PATH_TO_CERTS/ca-bundle.crt, which contains a bundle of CA certs
including intermediate smart card issuing CA and its root CA. The
subject and issuer values of these CA's are:
| Code: | Root CA:
subject= /C=US/O=U.S. Government/OU=EXAMPLE DEPARTMENT/OU=Certification Authorities/OU=EXAMPLE DEPARTMENT Root CA
issuer= /C=US/O=U.S. Government/OU=EXAMPLE DEPARTMENT/OU=Certification Authorities/OU=EXAMPLE DEPARTMENT Root CA
Intermediate CA issuing cert:
subject= /C=US/O=U.S. Government/OU=EXAMPLE AGENCY/OU=Certification Authorities/OU=EXAMPLE AGENCY Operational CA
issuer= /C=US/O=U.S. Government/OU=EXAMPLE DEPARTMENT/OU=Certification Authorities/OU=EXAMPLE DEPARTMENT Root CA |
I expect Apache to accept a valid smart card cert from the client,
however instead I get the following error: "Certificate Verification:
Error (20): unable to get local issuer certificate".
I'm not sure what to make of this. Is it likely I am I doing something
wrong or does "SSLVerifyClient require" only work with client certs
issued by a locally established CA?
Any insight into this matter would be greatly appreciated.
I'm running Apache 2.2 on Redhat EL6.
I saw this related thread: https://www.apachelounge.com/viewtopic.php?t=6236 |
|
| Back to top |
|
|
|
|
|
|
