I am having a problem with client authentication getting client certificates to work -
Have installed the client certificate in internet explorer, this also installs the server certificate as a 'trusted root certificate'.
When access basic https area of website all works correctly, when attempt to go into the area where SSLVerifyClient is required, the certificate is prompted for. But when chosen get "The page cannot be displayed" error.
The error in the ssl_error_log is: [Fri Jan 09 11:37:48 2004] [error] Re-negotiation handshake failed: Not accepted by client!?
If certificates are viewed IE says that they are valid etc.
I was after references to good HowTo's or any views on whether I have got the Apache set up right, whether there is a problem with certificates ....
Thanks in advance
Our server is
Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/6mdk) mod_perl/1.99_09 Perl/v5.8.1 mod_ssl/2.0.47 OpenSSL/0.9.7b PHP/4.3.2!
And clients are Internet Explorer IE6 and Opera 7.2
*****
SETUP CERTIFICATES AS FOLLOWS in directory /home/test/CA/:
*****
CERTIFICATION AUTHORITY
Generate New Certification Authority
perl CA.pl -newca (when prompted I set the CN name to the servers ip address)
SERVER CERTIFICATE
Generate new certificate request for SERVER (newreq.pem)
perl CA.pl -newreq (when prompted I set the CN name to the servers ip address)
Sign it (generates newcert.pem)
perl CA.pl -sign
Get Key from it
openssl rsa < newreq.pem > newkey.pem
CLIENT CERTIFICATE
Generate Unencrypted Key for CLIENT
openssl genrsa -out client_unsecure.key 1024
Generate new certificate request for CLIENT
openssl req -new -key client_unsecure.key -out client_unsecure.csr (when prompted I set the CN name to the client ip address)
Sign it
openssl ca -config /<somepath>/openssl.cnf -policy policy_anything -out client_unsecure.crt -infiles client_unsecure.csr
Create format for Internet Explorer
openssl pkcs12 -export -in client_unsecure.crt -inkey client_unsecure.key -name "Client Cert" -certfile ./demoCA/cacert.pem -out clientcert.p12
41_MOD_SSL.DEFAULT-VHOST.CONF SETTINGS AS FOLLOWS:
DocumentRoot "/var/ErrorLog logs/ssl_error_log
<IfModule mod_log_config.c>
TransferLog logs/ssl_access_log
</IfModule>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
# Server Certificate:
SSLCertificateFile /home/test/CA/newcert.pem
# Server Private Key:
SSLCertificateKeyFile /home/test/CA/newkey.pem
# Server Certificate Chain:
# Certificate Authority (CA):
SSLCACertificateFile /home/test/CA/demoCA/cacert.pem
# Certificate Revocation Lists (CRL):
# Client Authentication (Type):
#SSLVerifyClient require
#SSLVerifyDepth 10
<Location /audit>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
Have installed the client certificate in internet explorer, this also installs the server certificate as a 'trusted root certificate'.
When access basic https area of website all works correctly, when attempt to go into the area where SSLVerifyClient is required, the certificate is prompted for. But when chosen get "The page cannot be displayed" error.
The error in the ssl_error_log is: [Fri Jan 09 11:37:48 2004] [error] Re-negotiation handshake failed: Not accepted by client!?
If certificates are viewed IE says that they are valid etc.
I was after references to good HowTo's or any views on whether I have got the Apache set up right, whether there is a problem with certificates ....
Thanks in advance
Our server is
Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/6mdk) mod_perl/1.99_09 Perl/v5.8.1 mod_ssl/2.0.47 OpenSSL/0.9.7b PHP/4.3.2!
And clients are Internet Explorer IE6 and Opera 7.2
*****
SETUP CERTIFICATES AS FOLLOWS in directory /home/test/CA/:
*****
CERTIFICATION AUTHORITY
Generate New Certification Authority
perl CA.pl -newca (when prompted I set the CN name to the servers ip address)
SERVER CERTIFICATE
Generate new certificate request for SERVER (newreq.pem)
perl CA.pl -newreq (when prompted I set the CN name to the servers ip address)
Sign it (generates newcert.pem)
perl CA.pl -sign
Get Key from it
openssl rsa < newreq.pem > newkey.pem
CLIENT CERTIFICATE
Generate Unencrypted Key for CLIENT
openssl genrsa -out client_unsecure.key 1024
Generate new certificate request for CLIENT
openssl req -new -key client_unsecure.key -out client_unsecure.csr (when prompted I set the CN name to the client ip address)
Sign it
openssl ca -config /<somepath>/openssl.cnf -policy policy_anything -out client_unsecure.crt -infiles client_unsecure.csr
Create format for Internet Explorer
openssl pkcs12 -export -in client_unsecure.crt -inkey client_unsecure.key -name "Client Cert" -certfile ./demoCA/cacert.pem -out clientcert.p12
41_MOD_SSL.DEFAULT-VHOST.CONF SETTINGS AS FOLLOWS:
DocumentRoot "/var/ErrorLog logs/ssl_error_log
<IfModule mod_log_config.c>
TransferLog logs/ssl_access_log
</IfModule>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
# Server Certificate:
SSLCertificateFile /home/test/CA/newcert.pem
# Server Private Key:
SSLCertificateKeyFile /home/test/CA/newkey.pem
# Server Certificate Chain:
# Certificate Authority (CA):
SSLCACertificateFile /home/test/CA/demoCA/cacert.pem
# Certificate Revocation Lists (CRL):
# Client Authentication (Type):
#SSLVerifyClient require
#SSLVerifyDepth 10
<Location /audit>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>