Differentiate web access based on sub CA's

This is a discussion on Differentiate web access based on sub CA's within the Modssl Users forums, part of the Web Server and Related Forums category; Hi, I have the following CA structure: Root CA (cacert.pem) | |_ sub CA 'A' (subcaacert.pem) | |_ sub CA '...


Go Back   Usenet Forums > Web Server and Related Forums > Modssl Users

Reload this Page Differentiate web access based on sub CA's

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 01-11-2008
Carol Overes
 
Posts: n/a
Default Differentiate web access based on sub CA's
Hi,

I have the following CA structure:

Root CA (cacert.pem)
|
|_ sub CA 'A' (subcaacert.pem)
|
|_ sub CA 'B' (subcabcert.pem)

The idea is give web access for certificates which are issued by sub CA
'A'. Certificates issued by sub CA must be rejected. I don't want to use
things like SSLRequire directive to match certain fields in the
certificate, but I want to use the structure of the CA. I use Apache 2.2.4.

Here is my first Apache configuration:

SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /<path-to>/cachain.pem
SSLCertificateFile /<path-to>/cert.pem
SSLCertificateKeyFile /<path-to>/key.pem

cachain.pem contains the Root CA and the sub CA 'A'. The cipher-blocks
are added in the file in the described order. And I have also tried when
the two certificates were merged like:

openssl x509 -outform PEM -in subcaacert.pem -in subcabcert.pem -out
cachain.pem

When I connect with a certificate which is issued by sub CA 'A', I get
the following error:

certificate chain too long (chain has 2 certificates, but maximum
allowed are only 1)

It seems that the certificate chain length is greater than the supplied
maximum depth. So, I changed to the following configuration:

SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /<path-to>/cachain.pem
SSLCertificateFile /<path-to>/cert.pem
SSLCertificateKeyFile /<path-to>/key.pem

I'm able to authenticate with my certificate, issued by sub CA 'A'. But
I can also authenticate with a certificate which is issued by sub CA 'B'.

Instead of using SSLCACertificateFile I tried to use SSLCACertificatePath.

SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificatePath /<path-to>/
SSLCertificateFile /<path-to>/cert.pem
SSLCertificateKeyFile /<path-to>/key.pem

The directory where SSLCACertificatePath refers to, contains cacert.pem
and subcaacert.pem. Also, hash symlinks are created in that directory
with the Makefile
(http://search.cpan.org/src/MADWOLF/O...chain/Makefile).

When I connect with a certificate issued by sub CA 'A' I get the
following error:

Certificate Verification: Error (20): unable to get local issuer certificate

I'm kinda stuck at the moment. I have tried to google for some
solutions, but I haven't found anything that is useful.

Can anyone advice me on how to solve this issue?

Thanks in advance for any help.

Kind regards,

Carol

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 09:53 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0