[OT] Apache SSL certificate authentication

Fraser Tweedale frase at frase.id.au
Sun Sep 28 04:01:58 UTC 2008

I've been trying to set up Apache to do certificate authentication
and although I've had success using a self-signed CA (which
naturally requires that the CA certificate be installed in the
browser), I want to do the same, only have the certificate(s) signed
by a real(*) CA, and am having some difficulty.

(*) Specifically, CACert, which still isn't a OOTB trusted CA in most

The way I expect this to work is:

- Create my CA key and a CSR, and have CACert sign it.
- Create a server key and CSR, and sign it with my CA
- Create a client certificate, signed by my CA.

So I end up with a certificate chain that goes:
	CACert -> my CA -> my server

But... this is not working.  Firefox won't verify the server (the
CACert root certificate .is. installed), and having bypassed this
check, Apache won't verify the client either.

The Apache configuration is as follows:

<VirtualHost *:443>
    ServerName foo.bar
    DocumentRoot /path/to/htdocs
    SSLEngine on
    SSLCipherSuite HIGH:MEDIUM
    SSLProtocol all -SSLv2
    SSLCertificateFile /sslpath/server.crt
    SSLCertificateKeyFile /sslpath/server.key
    SSLCACertificateFile /sslpath/my-ca.crt
    SSLVerifyClient require
    SSLVerifyDepth 1

Any suggestions are appreciated,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080928/72c920f6/attachment.pgp

More information about the freebsd-questions mailing list