Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Problem with client digital certificate

Posted on 2002-07-16
6
Medium Priority
?
298 Views
Last Modified: 2008-02-01
Hi,

I'm having some problems using my own CA for user authentication in Apache modssl, win32.
Everything works fine with a demo certificate issued by GlobalSign but when I try with a certificate issued by by own CA I get Invalid Certificate.
All the CAs certificates, in PEM format, are in the same file.
I allways get this error: [error] Certificate Verification: Error (24): invalid CA certificate

Here are the Logs Files:

OK:

+-------------------------------------------------------------------------+
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 3, subject: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA, issuer: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 2, subject: /C=BE/O=GlobalSign nv-sa/OU=Primary Class 1 CA/CN=GlobalSign Primary Class 1 CA, issuer: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 1, subject: /C=BE/O=GlobalSign nv-sa/OU=Class 1 CA/CN=GlobalSign Class 1 CA, issuer: /C=BE/O=GlobalSign nv-sa/OU=Primary Class 1 CA/CN=GlobalSign Primary Class 1 CA
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 0, subject: /CN=joao.srodrigues@optimus.pt/Email=joao.srodrigues@optimus.pt, issuer: /C=BE/O=GlobalSign nv-sa/OU=Class 1 CA/CN=GlobalSign Class 1 CA
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read client certificate A
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read client key exchange A
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read certificate verify A
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_io.c(1027): OpenSSL: read 5/5 bytes from BIO#bogus %p[mem: bogus %p (QÑoðUÐoàaX
[Tue Jul 16 16:19:59 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_io.c(974): +-------------------------------------------------------------------------+

NOT OK:

+-------------------------------------------------------------------------+
[Tue Jul 16 16:23:47 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1294): Certificate Verification: depth: 1, subject: /C=PT/L=Lisboa/O=Optimus/OU=DT/Networks/IPS/CN=PosNet CA/Email=joao.srodrigues@optimus.pt, issuer: /C=PT/L=Lisboa/O=Optimus/CN=OptimusCA
[Tue Jul 16 16:23:47 2002] [error] Certificate Verification: Error (24): invalid CA certificate
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1864): OpenSSL: Write: SSLv3 read client certificate B
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1883): OpenSSL: Exit: error in SSLv3 read client certificate B
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1883): OpenSSL: Exit: error in SSLv3 read client certificate B
[Tue Jul 16 16:23:48 2002] [error] SSL handshake failed (server jsrodrigues.optimus.pt:443, client 172.2.2.135)
[Tue Jul 16 16:23:48 2002] [error] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Tue Jul 16 16:23:48 2002] [info] Connection to child 145 established (server jsrodrigues.optimus.pt:443, client 172.2.2.135)
[Tue Jul 16 16:23:48 2002] [info] Seeding PRNG with 0 bytes of entropy
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1846): OpenSSL: Handshake: start
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_kernel.c(1854): OpenSSL: Loop: before/accept initialization
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_io.c(1027): OpenSSL: read 11/11 bytes from BIO#bogus %p[mem: bogus %p (QÑoðUÐoà«\
[Tue Jul 16 16:23:48 2002] [debug] C:\40_Prt1.Bak\Internet\temp\httpd-2.0.39-win32-src\apache\modules\ssl\ssl_engine_io.c(974): +-------------------------------------------------------------------------+

Can anyone helpme please!
0
Comment
Question by:jmsr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
6 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7159010
id you sign your certificate with your own CA?
The issuer key seems to be missing
0
 

Author Comment

by:jmsr
ID: 7159154
Yes. The Certificate is signed by my own CA.
Another thing. I've tryed with Netscape and it works fine.
I discovered that's a problem with MSIE implementation of SSL, but still not able to solve it.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7160361
oops, MSIE ...
have seen someone posting how to hack Windoze (registry?) to allow self-signed CA, but cannot remember ... sorry.
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 9691054
No comment has been added lately, so it's time to clean up this TA.

I will leave a recommendation in the Cleanup topic area with the following recommendation for this question:

PAQ/Refund

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

periwinkle
EE Cleanup Volunteer
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1200 total points
ID: 9692792
AFAIK IE has a bug that it rejects certificates which are not signed at all levels
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question