I'm trying to force Apache to authenticate users by their personal certificates before letting them access site's content, on my company's LAN website.
I've tried so far having configured the httpd-ssl.conf like this :
SSLVerifyDepth 0
SSLVerifyClient require
SSLProxyEngine off
When I go to https://localhost
via firefox, it would show me a dialog with the list of my imported certificates to choose one.
That's OK exactly what I expected. But then I wonder "So, how can I give a test/verification against my client's certificate ?". At this point all the certificates that I've tried from the cert-dialog (all self-signed certs that I've created my own) were rejected by server.
Some googling led me to the a directive named "SSLCACertificateFile". That's the path to a certificate file that should be the root CA of all client's certificates. In other words, any certificates from client that was issued by this CA would be accepted as valid. (more about it could be found here)
But, the problem is, when I specify a concrete CA certificate file that way, Firefox stop showing me the certificate-dialog-box. The file "httpd-ssl.conf" like this :
SSLCACertificateFile C:/(...)/apache2/server_certs/ca.pem
SSLVerifyDepth 0
SSLVerifyClient require
SSLProxyEngine off
Instead, Firefox showed me an error notification with error code : "ssl_error_handshake_failure_alert"
I'm sure the CA certificate file "ca.pen" was in correct format cause it's the original one in installation pakage that I've downloaded. (Actually, it's in a free product named uniServer)
I've tested this against IE, Chrome, which results are all the same. I've tried testing some other "ca.pem" files (all self-signed), and the result refused to change.
So, my question is quite simple : what's wrong with specifying a concrete CA file for apache directive "SSLCACertificateFile" ?
If you can tell me answer for that, then would you mind telling me some more way to verify the cleint-certs, such as CN, issued-date, validate-to, ... etc
Thanks & highly appreciate any suggestion