top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Apache: Acceptable client certificate CA names Limitations

+3 votes
781 views

I have Apache 2.4 (win32) and have the following in my CA bundle.

Root 1
Subordinate 1
Subordinate 2

My server was signed off Subordinate 1, When I do openssl s_client -connect server:443, it shows both Subordinate 1 and Subordinate 2 in the acceptable CA names.

If I remove Subordinate 2 from the bundle, It only shows Subordinate 1 as a acceptable CA. However, if I remove Subordinate 1, it still shows as an acceptable CA.

It seems httpd references not only cabundle/cafiles but also certs in the Chain file. as acceptable CAs.

Is it possible to prevent a user signed off Subordinate 1 from using client certificate authentication while the server cert is issued off Subordinate 1?

posted Mar 13, 2015 by anonymous

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button

Similar Questions
+1 vote

I have an idea how to setup Apache for doing load balancer based on mod_proxy and mod_balance modules. But in my case the backend server requires ssl client certificate authentication and therefore the Apache Server cannot terminate the ssl connection.

I do no need http session cookie stickyness. The application is stateless. Can I somehow configure Apache as a transparent balancer?

Or I should use even another software - squid, iptables? The backend application is a web service running on Tomcat.

+4 votes

We want to set up SSL client authentication and we will only have a single client that we want to allow through to the website.

Is it possible to allow just a single certificate to authenticate by just specifying that one cert in SSLCACertificateFile? i.e. without specifying the CA cert instead?

If so, would my SSLVerifyDepth then be zero?

Are there any reasons I might not have thought about why this isn't a good idea or any other considerations?

+4 votes

The ssl cert on my apache server have expired. It is actually a server at work - a important one as well so I'm a bit stressed at the moment.

The cert is renewed and I have received the cert files. I'm now trying to install them but I can't get it to work.

I thought it was as simple as just copying the new crt file to the server and restart apache but apache start fails.

I see this in the log:

509 certificate routines:X509_check_private_key:key values mismatch

Server: Apache 2.2.22 on Ubuntu 12.04. How does one install a renewed ssl cert? Do I need to create a new private key and ca-bundle? Please point me in the right direction.

0 votes

Running Apache 2.4.7 and current configuration limiting access to a directory to only clients that can provide a trusted client certificate. Server is SSL host. Would like to modify configuration to allow "local" clients (127.0.0.1, etc. as defined by Require local auth provider) to access the directory without authenticating with a client certificate. So the local host may access the directory without SSL client auth, but all others must authenticate with a client certificate or access is forbidden. What is the best/proper way to do this?

I would like to use modern directives (avoiding Allow, Deny, Order etc. from mod_access_compat) but I am not clear how to combine Require related directives with mod_ssl options like SSLVerifyClient.

Thanks in advance?

+1 vote

In our application we use authentication based on client ssl certificate. I've found out that the checking of client cert revocation is not done automatically, if the Crl Distribution Point is present in client certificate. Is it an intention or only not done yet?

The only way how to do revocation checking is to configure SSLCARevocationPath or SSLCARevocationFile.

The world of certificates is full of mess. Crl Distribution Point is not mandatory. So if it is not present, it is the last chance to do checking thorugh SSLCARevocation* vars. So they have their meaning. I've found a discussion about reloading values of SSLCARevocation*

http://markmail.org/message/nrhnyd6dppl25uxj

"CRL refreshing should also be taken into account; killing and restarting a webserver every hour or every day because we downloaded a new CRL is not a viable solution in a production environment, and OCSP
is not always a good answer (we're not talking about a sub-minute revocation status)."

So my question is. Is the CRL refreshing (reload of CRL files) done in the current Apache versions? And in the end, what about OCSP - is it supported?

...