Configuring 2 way SSL Client authentication on Apache web server
SSLCACertificateFile must contain your client's certification authority certificates plus any intermediate certificate file, all concatenated together.
You also lack SSLCertificateChainFile which must point to a file containing your server's certification authority certificate plus any intermediate certificate file, all concatenated together.
Obviously, the client (browser) must have its own client certificate installed.
note: from 2.4.8 release, as official apache documentation, the SSLCertificateChainFile is OBSOLETE (thanks to ezra-s for his comment). It's now possibile to concatenate Server certificate and CA Intermediate certificates directly into SSLCertificateFile.
Related videos on Youtube
BigCroyd
Updated on June 04, 2022Comments
-
BigCroyd almost 2 years
Wanted to get some advice on setting up simple 2 way apache SSL.
We have created a key file and csr request using openSSL. We have then submitted it to a CA and recieved a crt file back with the CA's crt file.
We have configured the apache http.conf file and added the following params after loading the mod_ssl module.
SSLEngine on
SSLCACertificateFile /local/fast/fcHome/deployment/apache01/conf/ssl.crt/ca.crt - the CA root cert recieved with the cert
SSLCertificateFile /local/fast/fcHome/deployment/apache01/conf/ssl.crt/server.crt -the crt file recieved from CA for the server
SSLCertificateKeyFile /local/fast/fcHome/deployment/apache01/conf/ssl.key/server.key - the keyfile used to generate the csr
SSLVerifyClient require
SSLVerifyDepth 10
We then have a client who is also using a certificate signed by the same CA attempting to connect to the https service. The client is getting SSL handshake errors when connecting.
The apache error logs show the following:
ssl_engine_kernel.c(1884): OpenSSL: Write: SSLv3 read client certificate B ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate B ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate B SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification?
I can't seem to figure out why this is. Is it possible that even though the client certificate is signed by Versign it is not matched to the server's CA.crt file?
Any help would be greatly appreciated
-
Daniel almost 10 yearsDid you ever figure this out? Was it something on the server side, or something on the client side?
-
-
ezra-s about 3 yearsFor anyone checking now, in 2021, in apache now SSLCertificateChainFile is deprecated, the CA that signs the server certificate must go concatenated with the server certificate itself in SSLCertificateFile. Nothing to correct to the answer posted here since the answer is from 2013, but this question still attracts some attention so I thought a comment with an update would be worth adding. Cheers.