Complex SSL configuration: Client auth + multiple root certs

Alles, was den Apache betrifft, kann hier besprochen werden.

Complex SSL configuration: Client auth + multiple root certs

Postby arob » 14. April 2008 13:33


I have some problems updating my apache ssl configuration. I was hoping that someone in this forum has some theoretical/practical knowledge and helps me to find the problem:

Since one year I am running a ssl only web page that requires ssl client auth. I am using the FakeBasicAuth for limiting the access only to certain users. Until now I had one root certificate and the user certificates, without any SubCA in between.
Now the environment has changed and I need to update the configuration:

I still have the one root-CA (lets call it "CA-root-old") with it's user certs, but additionally I am now having a second ca (a sub-CA, not a root one - "CA-users-new") I have to add as trusted CA. This sub-ca is connected through two more sub-CAs (CA-sub-new[x]) to the real root-CA (Telekom CA). Those sub-CAs are of course "untrusted".

My attempt to implement this configuration was as follows:

In vhost file I added SSLCACertificateFile[b] entry, pointing to a file with the concatenated "CA-root-old" and "CA-users-new" (the trusted CAs).
For being able to perform a full verification of certs issued by "CA-users-new" I concatenated the certificates of CA-sub-new together with the TelekomCA cert into one file which is used by the [b]SSLCertificateChainFile
apache configuration option.

Now I am still able to authenticate with certs issued by "CA-root-old", but not using one issued by "CA-users-new". Last lines from the error log with LogLevel debug:
Code: Select all
ssl_engine_kernel.c(1190): Certificate Verification: depth: 2, subject: /C=DE/O=X/OU=XYZ/CN=XYZ, issuer: /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
[error] Certificate Verification: Error (20): unable to get local issuer certificate

Does somebody have a clue, why I do not manage to get this configuration to work?

My complete SSL configuration:
Code: Select all
SSLEngine on
SSLProtocol +SSLv3 +TLSv1
SSLverifyClient true
SSLOptions +OptRenegotiate
SSLCertificateFile /etc/apache2/vhosts.d/cert.pem
SSLCertificateKeyFile /etc/apache2/vhosts.d/privat-key.pem
SSLCertificateChainFile /etc/apache2/Chain-certs.pem
SSLCACertificateFile /etc/apache2/Trusted-CAs.pem

Posts: 5
Joined: 14. April 2008 13:08

Re: Complex SSL configuration: Client auth + multiple root certs

Postby scott_thomas007 » 22. March 2010 07:04

Hi Robert and Arob,

I am having the same problem...First i explain you the problem...I have a main ROOT CA lets say "ID Technologies"...Below it i have a Sub CA named "General Administration"...Below this SubCA, i have 3 more CA's "Accounts Administration" , "HR Administration" and "Sales Administration"...

"ID Technologies"

"General Administration"

"Accounts Administration" "HR Administration" "Sales Administration"

I am having Smart Card authentication in Accounts Administration but having problems with CA Chains. I tried your said configuration but could not resolve the issue. Kindly guide me how can i use the tags "SSLCACertificateFile" & "SSLCertificateChainFile".

Waiting for your Reply,

Best Regards
Scott Thomas
University of Essex.
Posts: 1
Joined: 22. March 2010 06:50

Re: Complex SSL configuration: Client auth + multiple root certs

Postby arob » 29. March 2010 16:24

Sorry, but I don't remember what was the problem and how I solved it. The double-root-CA configuration ran only some months. Now I am using only one root CA.

The only thing I remember is that the CA chain has to include the chain certificates as well as the ca certificates as well.
Posts: 5
Joined: 14. April 2008 13:08

Return to Apache

Who is online

Users browsing this forum: No registered users and 11 guests