Client Verification with sub ca's

I have a self signed ca, with multiple sub-ca's.

root
 -sub-ca1
 -sub-ca2
 -server

I sign client certificates with either -sub-ca1 or -sub-ca2, and use server to sign certificates for the actual website. So in my apache config, i have this:

        SSLEngine on
        SSLOptions +stdEnvVars
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

        SSLCertificateFile /data/keys/test.crt
        SSLCertificateKeyFile /data/keys/test.key
        SSLCertificateChainFile /data/keys/chain.pem

        SSLVerifyClient require
        SSLVerifyDepth 2
        SSLCACertificateFile /data/keys/ca.pem

test.crt is signed by server.
chain.pem contains server and root in that order
ca.pem contains sub-ca2 and root in that order

Everything seems to work fine except for the fact that the website also excepts client certificates signed by sub-ca1. But I'm trying to restrict this site to only sub-ca2 clients.

I tried:

1) removing the root from ca.pem, that gives me a "Certificate Verification: Error (2): unable to get issuer certificate" error.

2) removing the root from ca.pem adding sub-ca2 to chain.pem, same error.

3) changing SSLVerifyDepth to 1, that give me a "Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1)" error.

Anyone know how to get apache to only allow clients from one sub-ca but not others signed by the same root?

Hi,

Same setup as works with both subCAs. Use the SSLRequire directive. Restrict on the client certs issuer field (SSL_CLIENT_I_DN...).

Regards
Matt





----- Original Message ----
From: leanmeandonothingmachine <leanmeandonothingmachine@...>
To: modssl-users@...
Sent: Thursday, March 12, 2009 2:03:07 PM
Subject: Client Verification with sub ca's


I have a self signed ca, with multiple sub-ca's.

root
-sub-ca1
-sub-ca2
-server

I sign client certificates with either -sub-ca1 or -sub-ca2, and use server
to sign certificates for the actual website. So in my apache config, i have
this:

        SSLEngine on
        SSLOptions +stdEnvVars
        SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

        SSLCertificateFile /data/keys/test.crt
        SSLCertificateKeyFile /data/keys/test.key
        SSLCertificateChainFile /data/keys/chain.pem

        SSLVerifyClient require
        SSLVerifyDepth 2
        SSLCACertificateFile /data/keys/ca.pem

test.crt is signed by server.
chain.pem contains server and root in that order
ca.pem contains sub-ca2 and root in that order

Everything seems to work fine except for the fact that the website also
excepts client certificates signed by sub-ca1. But I'm trying to restrict
this site to only sub-ca2 clients.

I tried:

1) removing the root from ca.pem, that gives me a "Certificate Verification:
Error (2): unable to get issuer certificate" error.

2) removing the root from ca.pem adding sub-ca2 to chain.pem, same error.

3) changing SSLVerifyDepth to 1, that give me a "Certificate Verification:
Certificate Chain too long (chain has 2 certificates, but maximum allowed
are only 1)" error.

Anyone know how to get apache to only allow clients from one sub-ca but not
others signed by the same root?
--
View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22469681.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                  www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...



     
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...

thanks that works, a little tricky if you want to use SSLVerifyClient
optional, as it 403s everything in that case instead just not filling in the
client variables. But I can always do that programmaticaly if I need it.
--
View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22478223.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...

thanks that works, a little tricky if you want to use SSLVerifyClient
optional, as it 403s everything in that case instead just not filling in the
client variables. But I can always do that programmaticaly if I need it.
--
View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22478223.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@...
Automated List Manager                            majordomo@...

thanks that works, a little tricky if you want to use SSLVerifyClient optional, as it 403s everything in that case instead of just not filling in the client variables. But I can always do that programmaticaly if I need it.