Solved

Problem with client digital certificate

Posted on 2002-07-16
6
292 Views
Last Modified: 2008-02-01
Hi,

I'm having some problems using my own CA for user authentication in Apache modssl, win32.
Everything works fine with a demo certificate issued by GlobalSign but when I try with a certificate issued by by own CA I get Invalid Certificate.
All the CAs certificates, in PEM format, are in the same file.
I allways get this error: [error] Certificate Verification: Error (24): invalid CA certificate

Here are the Logs Files:

OK:

+-------------------------------------------------------------------------+
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 3, subject: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA, issuer: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 2, subject: /C=BE/O=GlobalSign nv-sa/OU=Primary Class 1 CA/CN=GlobalSign Primary Class 1 CA, issuer: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 1, subject: /C=BE/O=GlobalSign nv-sa/OU=Class 1 CA/CN=GlobalSign Class 1 CA, issuer: /C=BE/O=GlobalSign nv-sa/OU=Primary Class 1 CA/CN=GlobalSign Primary Class 1 CA
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 0, subject: /CN=joao.srodrigues@optimus.pt/Email=joao.srodrigues@optimus.pt, issuer: /C=BE/O=GlobalSign nv-sa/OU=Class 1 CA/CN=GlobalSign Class 1 CA
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read client certificate A
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read client key exchange A
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read certificate verify A
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_io.c(1027): OpenSSL: read 5/5 bytes from BIO#bogus %p[mem: bogus %p (QÑoðUÐoàaX
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_io.c(974): +-------------------------------------------------------------------------+

NOT OK:

+-------------------------------------------------------------------------+
[Tue Jul 16 16:23:47 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 1, subject: /C=PT/L=Lisboa/O=Optimus/OU=DT/Networks/IPS/CN=PosNet CA/Email=joao.srodrigues@optimus.pt, issuer: /C=PT/L=Lisboa/O=Optimus/CN=OptimusCA
[Tue Jul 16 16:23:47 2002] [error] Certificate Verification: Error (24): invalid CA certificate
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1864): OpenSSL: Write: SSLv3 read client certificate B
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1883): OpenSSL: Exit: error in SSLv3 read client certificate B
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1883): OpenSSL: Exit: error in SSLv3 read client certificate B
[Tue Jul 16 16:23:48 2002] [error] SSL handshake failed (server jsrodrigues.optimus.pt:443, client 172.2.2.135)
[Tue Jul 16 16:23:48 2002] [error] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Tue Jul 16 16:23:48 2002] [info] Connection to child 145 established (server jsrodrigues.optimus.pt:443, client 172.2.2.135)
[Tue Jul 16 16:23:48 2002] [info] Seeding PRNG with 0 bytes of entropy
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1846): OpenSSL: Handshake: start
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1854): OpenSSL: Loop: before/accept initialization
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_io.c(1027): OpenSSL: read 11/11 bytes from BIO#bogus %p[mem: bogus %p (QÑoðUÐoà«\
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_io.c(974): +-------------------------------------------------------------------------+

Can anyone helpme please!
0
Comment
Question by:jmsr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
6 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7159010
id you sign your certificate with your own CA?
The issuer key seems to be missing
0
 

Author Comment

by:jmsr
ID: 7159154
Yes. The Certificate is signed by my own CA.
Another thing. I've tryed with Netscape and it works fine.
I discovered that's a problem with MSIE implementation of SSL, but still not able to solve it.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7160361
oops, MSIE ...
have seen someone posting how to hack Windoze (registry?) to allow self-signed CA, but cannot remember ... sorry.
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 9691054
No comment has been added lately, so it's time to clean up this TA.

I will leave a recommendation in the Cleanup topic area with the following recommendation for this question:

PAQ/Refund

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

periwinkle
EE Cleanup Volunteer
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 300 total points
ID: 9692792
AFAIK IE has a bug that it rejects certificates which are not signed at all levels
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As Wikipedia explains 'robots.txt' as -- the robot exclusion standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a websit…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question