Configuring 2 way SSL Client authentication on Apache web server

apache ssl client-certificates
18,406

SSLCACertificateFile must contain your client's certification authority certificates plus any intermediate certificate file, all concatenated together.

You also lack SSLCertificateChainFile which must point to a file containing your server's certification authority certificate plus any intermediate certificate file, all concatenated together.

Obviously, the client (browser) must have its own client certificate installed.

note: from 2.4.8 release, as official apache documentation, the SSLCertificateChainFile is OBSOLETE (thanks to ezra-s for his comment). It's now possibile to concatenate Server certificate and CA Intermediate certificates directly into SSLCertificateFile.

Share:
18,406

Related videos on Youtube

BigCroyd
Author by

BigCroyd

Updated on June 04, 2022

Comments

  • BigCroyd
    BigCroyd almost 2 years

    Wanted to get some advice on setting up simple 2 way apache SSL.

    We have created a key file and csr request using openSSL. We have then submitted it to a CA and recieved a crt file back with the CA's crt file.

    We have configured the apache http.conf file and added the following params after loading the mod_ssl module.

    SSLEngine on

    SSLCACertificateFile /local/fast/fcHome/deployment/apache01/conf/ssl.crt/ca.crt - the CA root cert recieved with the cert

    SSLCertificateFile /local/fast/fcHome/deployment/apache01/conf/ssl.crt/server.crt -the crt file recieved from CA for the server

    SSLCertificateKeyFile /local/fast/fcHome/deployment/apache01/conf/ssl.key/server.key - the keyfile used to generate the csr

    SSLVerifyClient require

    SSLVerifyDepth 10

    We then have a client who is also using a certificate signed by the same CA attempting to connect to the https service. The client is getting SSL handshake errors when connecting.

    The apache error logs show the following:

    ssl_engine_kernel.c(1884): OpenSSL: Write: SSLv3 read client certificate B ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate B ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate B SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification?

    I can't seem to figure out why this is. Is it possible that even though the client certificate is signed by Versign it is not matched to the server's CA.crt file?

    Any help would be greatly appreciated

    • Daniel
      Daniel almost 10 years
      Did you ever figure this out? Was it something on the server side, or something on the client side?
  • ezra-s
    ezra-s about 3 years
    For anyone checking now, in 2021, in apache now SSLCertificateChainFile is deprecated, the CA that signs the server certificate must go concatenated with the server certificate itself in SSLCertificateFile. Nothing to correct to the answer posted here since the answer is from 2013, but this question still attracts some attention so I thought a comment with an update would be worth adding. Cheers.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache SNI: multiple SSL certificates on one IP address
Can't Access SOAP Web Service Over HTTPS
HTTP SSL Proxy with Java Apache HttpClient
LetsEncrypt SSL Error - SSL routines:ssl3_get_record:wrong version number
How to configure SSL on Apache 2.4 (Windows 7)?
HTTPS giving 404 not found error
SSLCertificateChainFile is obsolete
Apache 2.4.37 with openssl 1.1.1: cannot perform post-handshake authentication
Is it possible to have a valid sub-subdomain with a wildcard certificate?
How to setup ssl using only .htaccess file