Client-side certificates (Apache, Linux, OpenSSL)

Solution 1:

Could be that you are using client certs with the wrong key usage. Please verify that your key usage has:

Critical
Signing
Non-repudiation
Key Encipherment

If you are using extended key usage, check for

Not Critical
TLS Web Client Authentication
E-mail protection

On the server side verify that you have all the ca cert that was used to sign the client cert and the relevant pki hierarchy is set up. In a typical apache setup, this would look like:

<VirtualHost *:443>
    ServerAdmin [email protected]                                                                                      
    DocumentRoot /var/www/
    ServerName service.example.net
    ScriptAlias /cgi-bin/ /var/www/cgi-bin/
    <Directory "/var/www/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
    </Directory>

    <Directory "/var/www/">
            Options Indexes MultiViews FollowSymLinks
            AllowOverride None
    </Directory>

    SSLEngine on
    SSLOptions +StdEnvVars
    SSLCertificateFile    /usr/local/ssl/certs/Server.crt
    SSLCertificateKeyFile /usr/local/ssl/private/Server.key
    SSLCACertificateFile  /usr/local/ssl/certs/caRoot.cacert.pem
    SSLVerifyClient require
    ErrorLog logs/service.example.net-443-error_log
    LogLevel info
    CustomLog logs/service.example.net-443-access.log combined

Finally, you can try debug with good old openssl

openssl s_client -connect server.example.net:443 -CAfile ../ca/caRoot.crt -cert client-Access.crt -key client-Access.key  -showcerts

or curl

curl -kv --key client-Access.key --cert client-Access.crt --cacert ../ca/caRoot.crt  https://server.example.net/

Good luck!

Client-side certificates (Apache, Linux, OpenSSL)

Solution 1:

Related

Recent Posts