logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: using client certificate (Digicert signed certificate)
Author
apacheadmin



Joined: 12 Sep 2015
Posts: 2

PostPosted: Sat 12 Sep '15 20:55    Post subject: using client certificate (Digicert signed certificate) Reply with quote

Hi, i have got a certificate signed by the digicert as

1) cert file (mycert.crt) this was signed and given by digicert after i gave them the mycert.csr file

2) key file (mycert.key)

3) i have combined the mycert.crt (provided by digicert) and the key (that i have) mycert.key into a pcks12 format mycert_pcks12.pfx file

i have following setting in httpd-ssl.conf

SSLCertificateFile "c:/Apache24/conf/mycert.crt"

SSLCertificateKeyFile "c:/Apache24/conf/mycert.key"

SSLVerifyClient require
SSLVerifyDepth 2

SSLCACertificateFile "c:/Apache24/conf/mycert.crt"

when i import the file (step 3) pfx in my browser and try to connect to mysite it gives ssl handshake error unknown ca

if i use my self signed certificate and key and the same file for both (SSLCertificateFile and SSLCACertificateFile ) for the above settings and combine my self signed ceritifcate and key into pcks12 (pfx) file and import it in browser it works fine.

My Question is, since i am new to this , why it does not work for Digicert signed cert?

Thanks
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Sun 13 Sep '15 15:05    Post subject: Reply with quote

Admin note:
Post moved to the correct forum.


What is in the Apache error.log ?

Wondering why you convert to pcks.

Look in the cert file for Apache, it should contain:

-----BEGIN CERTIFICATE-----
-
-
-
-
-
-
-----END CERTIFICATE-----

and the key file:

-----BEGIN RSA PRIVATE KEY-----
-
-
-
-
-----END RSA PRIVATE KEY-----
Back to top
apacheadmin



Joined: 12 Sep 2015
Posts: 2

PostPosted: Sun 13 Sep '15 19:41    Post subject: Reply with quote

Thanks for your question, actually the request is not even hitting the apache server in this case as browser does not even ask for the client certificate to submit.

when i use my self signed certificate as explained in the question, browser prompts for the certificate.

My guess is you cannot use a Digicert or for that matter any publicly certificate authority's signed certificate for client authentication, i am now thinking that for client authentication you have to give them a self signed certificate with key and ask them to put that in the browser or os and on my end on server use that certificate (without) the private key to validate them as authorized client. (this is my guess and i may be very well wrong unless someone who is not a quack and knows how to do a client authentication using non self signed certificate)

Thanks again.
Back to top


Reply to topic   Topic: using client certificate (Digicert signed certificate) View previous topic :: View next topic
Post new topic   Forum Index -> Apache