Hi everyone ...
I'm using apache 1.2.6, SSLeay 0.9.0 running on a Sparc 20 with solaris
2.5.1 ...
I have succesfully got to issue certificates, i.e. I'm my own CA, I have
succesfully been able to load a personal certificate to my netscape 4
browser, but when I try to connect to my httpsd, after the browser tell
me that the server requieres (SSLVerifyClient 2) my certificate
it response me that "the server cannot verify your certificate"
this is my conf for the site:
<VirtualHost cambiar-passwd.reacciun.ve>
SSLVerifyClient 2
SSLVerifyDepth 10
SSLCertificateFile /usr/local/etc/SSL/SSLconf/servercert.pem
SSLCACertificateFile /usr/local/etc/SSL/SSLconf/ca-servercert.pem
SSLCACertificatePath /usr/local/SSL/certs
SSLLogFile /var/tmp/cambiar-passwd.log
CustomLog /var/log/httpsd/cambiar-passwd_log "%t %{version}c %{cipher}c
%{clientcert}c"
ServerAdmin oaguirre@reacciun.ve
DocumentRoot /home/WWW/SSL/testing
ServerName www.cambiar-passwd.reacciun.ve
ServerAlias cambiar-passwd.reacciun.ve
ErrorLog /var/log/httpd/cambiar-passwd.reacciun.ve_log
TransferLog /var/log/httpd/cambiar-passwd.reacciun.ve-access_log
</VirtualHost>
this is the CA definitions in ssl.cnf:
[ CA_default ]
dir = /usr/local/SSL # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = x509v3_extensions # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = supplied
in /usr/local/etc/SSL/SSLconf/ I have:
lrwxrwxrwx 1 root root 14 May 15 10:06 0ad066a0.0 ->
servercert.pem
lrwxrwxrwx 1 root root 43 May 14 11:32 895e2c3e.0 ->
/usr/local/etc/SSL/SSLconf/certificates.pem
drwxr----- 2 root httpd 512 May 15 09:03 certificates/
-rw------- 1 root root 1847 May 14 11:30 certificates.pem
-rw------- 1 root root 2026 May 15 10:06 servercert.pem
in /usr/local/SSL/certs I have:
-rw-r----- 1 root httpd 2900 May 14 10:46 02.pem
-rw-r----- 1 root httpd 2965 May 14 11:17 03.pem
lrwxrwxrwx 1 root root 6 May 14 10:46 1160e0cd.0 ->
02.pem
lrwxrwxrwx 1 root root 6 May 14 11:17 dffba838.0 ->
03.pem
every certificate have been issued using the Clifford Heath - basic CA
setup
after many tries I'm giving up .. I know I am doing something really
wrong
but I dont know what ...
could any one help me please?
thanks in advance ...
--
__________________________________________________________________________
| __ __ _ ______ __ _ _ _ _(@) | The opinions here are expressed
|
| /__) /_ /_\/ / / / / /| / | "as is", with no warranty of
any|
| / \ /__/ /\__\___/_ /_/ _/ |/ | kind. Use them at your own
risk.|
|------------------------------------------------------------------------|
| Oswaldo E. Aguirre
|
| Computer Science Engineer
|
| Unix System & Network Manager |
| oaguirre@reacciun.ve |
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
||||||||||||||||||||||||||||||||||