Solved

Problem with client digital certificate

Posted on 2002-07-16
6
264 Views
Last Modified: 2008-02-01
Hi,

I'm having some problems using my own CA for user authentication in Apache modssl, win32.
Everything works fine with a demo certificate issued by GlobalSign but when I try with a certificate issued by by own CA I get Invalid Certificate.
All the CAs certificates, in PEM format, are in the same file.
I allways get this error: [error] Certificate Verification: Error (24): invalid CA certificate

Here are the Logs Files:

OK:

+-------------------------------------------------------------------------+
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 3, subject: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA, issuer: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 2, subject: /C=BE/O=GlobalSign nv-sa/OU=Primary Class 1 CA/CN=GlobalSign Primary Class 1 CA, issuer: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 1, subject: /C=BE/O=GlobalSign nv-sa/OU=Class 1 CA/CN=GlobalSign Class 1 CA, issuer: /C=BE/O=GlobalSign nv-sa/OU=Primary Class 1 CA/CN=GlobalSign Primary Class 1 CA
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 0, subject: /CN=joao.srodrigues@optimus.pt/Email=joao.srodrigues@optimus.pt, issuer: /C=BE/O=GlobalSign nv-sa/OU=Class 1 CA/CN=GlobalSign Class 1 CA
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read client certificate A
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read client key exchange A
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read certificate verify A
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_io.c(1027): OpenSSL: read 5/5 bytes from BIO#bogus %p[mem: bogus %p (QÑoðUÐoàaX
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_io.c(974): +-------------------------------------------------------------------------+

NOT OK:

+-------------------------------------------------------------------------+
[Tue Jul 16 16:23:47 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 1, subject: /C=PT/L=Lisboa/O=Optimus/OU=DT/Networks/IPS/CN=PosNet CA/Email=joao.srodrigues@optimus.pt, issuer: /C=PT/L=Lisboa/O=Optimus/CN=OptimusCA
[Tue Jul 16 16:23:47 2002] [error] Certificate Verification: Error (24): invalid CA certificate
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1864): OpenSSL: Write: SSLv3 read client certificate B
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1883): OpenSSL: Exit: error in SSLv3 read client certificate B
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1883): OpenSSL: Exit: error in SSLv3 read client certificate B
[Tue Jul 16 16:23:48 2002] [error] SSL handshake failed (server jsrodrigues.optimus.pt:443, client 172.2.2.135)
[Tue Jul 16 16:23:48 2002] [error] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Tue Jul 16 16:23:48 2002] [info] Connection to child 145 established (server jsrodrigues.optimus.pt:443, client 172.2.2.135)
[Tue Jul 16 16:23:48 2002] [info] Seeding PRNG with 0 bytes of entropy
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1846): OpenSSL: Handshake: start
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1854): OpenSSL: Loop: before/accept initialization
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_io.c(1027): OpenSSL: read 11/11 bytes from BIO#bogus %p[mem: bogus %p (QÑoðUÐoà«\
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_io.c(974): +-------------------------------------------------------------------------+

Can anyone helpme please!
0
Comment
Question by:jmsr
  • 3
6 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7159010
id you sign your certificate with your own CA?
The issuer key seems to be missing
0
 

Author Comment

by:jmsr
ID: 7159154
Yes. The Certificate is signed by my own CA.
Another thing. I've tryed with Netscape and it works fine.
I discovered that's a problem with MSIE implementation of SSL, but still not able to solve it.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7160361
oops, MSIE ...
have seen someone posting how to hack Windoze (registry?) to allow self-signed CA, but cannot remember ... sorry.
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 9691054
No comment has been added lately, so it's time to clean up this TA.

I will leave a recommendation in the Cleanup topic area with the following recommendation for this question:

PAQ/Refund

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

periwinkle
EE Cleanup Volunteer
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 300 total points
ID: 9692792
AFAIK IE has a bug that it rejects certificates which are not signed at all levels
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now