I have some problems updating my apache ssl configuration. I was hoping that someone in this forum has some theoretical/practical knowledge and helps me to find the problem:
Since one year I am running a ssl only web page that requires ssl client auth. I am using the FakeBasicAuth for limiting the access only to certain users. Until now I had one root certificate and the user certificates, without any SubCA in between.
Now the environment has changed and I need to update the configuration:
I still have the one root-CA (lets call it "CA-root-old") with it's user certs, but additionally I am now having a second ca (a sub-CA, not a root one - "CA-users-new") I have to add as trusted CA. This sub-ca is connected through two more sub-CAs (CA-sub-new[x]) to the real root-CA (Telekom CA). Those sub-CAs are of course "untrusted".
My attempt to implement this configuration was as follows:
In vhost file I added SSLCACertificateFile[b] entry, pointing to a file with the concatenated "CA-root-old" and "CA-users-new" (the trusted CAs).
For being able to perform a full verification of certs issued by "CA-users-new" I concatenated the certificates of CA-sub-new together with the TelekomCA cert into one file which is used by the [b]SSLCertificateChainFile apache configuration option.
Now I am still able to authenticate with certs issued by "CA-root-old", but not using one issued by "CA-users-new". Last lines from the error log with LogLevel debug:
- Code: Select all
ssl_engine_kernel.c(1190): Certificate Verification: depth: 2, subject: /C=DE/O=X/OU=XYZ/CN=XYZ, issuer: /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
[error] Certificate Verification: Error (20): unable to get local issuer certificate
Does somebody have a clue, why I do not manage to get this configuration to work?
My complete SSL configuration:
- Code: Select all
SSLEngine on
SSLProtocol +SSLv3 +TLSv1
SSLverifyClient true
SSLCipherSuite HIGH:MEDIUM
SSLOptions +OptRenegotiate
SSLCertificateFile /etc/apache2/vhosts.d/cert.pem
SSLCertificateKeyFile /etc/apache2/vhosts.d/privat-key.pem
SSLCertificateChainFile /etc/apache2/Chain-certs.pem
SSLCACertificateFile /etc/apache2/Trusted-CAs.pem
Robert