3

Wanted to get some advice on setting up simple 2 way apache SSL.

We have created a key file and csr request using openSSL. We have then submitted it to a CA and recieved a crt file back with the CA's crt file.

We have configured the apache http.conf file and added the following params after loading the mod_ssl module.

SSLEngine on

SSLCACertificateFile /local/fast/fcHome/deployment/apache01/conf/ssl.crt/ca.crt - the CA root cert recieved with the cert

SSLCertificateFile /local/fast/fcHome/deployment/apache01/conf/ssl.crt/server.crt -the crt file recieved from CA for the server

SSLCertificateKeyFile /local/fast/fcHome/deployment/apache01/conf/ssl.key/server.key - the keyfile used to generate the csr

SSLVerifyClient require

SSLVerifyDepth 10

We then have a client who is also using a certificate signed by the same CA attempting to connect to the https service. The client is getting SSL handshake errors when connecting.

The apache error logs show the following:

ssl_engine_kernel.c(1884): OpenSSL: Write: SSLv3 read client certificate B ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate B ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate B SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification?

I can't seem to figure out why this is. Is it possible that even though the client certificate is signed by Versign it is not matched to the server's CA.crt file?

Any help would be greatly appreciated

Improve this question
1
  • Did you ever figure this out? Was it something on the server side, or something on the client side? Commented Jul 17, 2014 at 8:21

2 Answers 2

Reset to default
3

SSLCACertificateFile must contain your client's certification authority certificates plus any intermediate certificate file, all concatenated together.

You also lack SSLCertificateChainFile which must point to a file containing your server's certification authority certificate plus any intermediate certificate file, all concatenated together.

Obviously, the client (browser) must have its own client certificate installed.

note: from 2.4.8 release, as official apache documentation, the SSLCertificateChainFile is OBSOLETE (thanks to ezra-s for his comment). It's now possibile to concatenate Server certificate and CA Intermediate certificates directly into SSLCertificateFile.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

For anyone checking now, in 2021, in apache now SSLCertificateChainFile is deprecated, the CA that signs the server certificate must go concatenated with the server certificate itself in SSLCertificateFile. Nothing to correct to the answer posted here since the answer is from 2013, but this question still attracts some attention so I thought a comment with an update would be worth adding. Cheers.
0

The client must provide the client certificate in order to connect to server.

For example in python:

import requests

cert = (client_cert_file_path, client_key_file_path)

resp = requests.get(url, cert=cert, verify=False)
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.