I am trying to use the SSLCACertificatePath directive in httpd to point to a collection of roots and intermediates for client certificate validation.
I am able to use a full, concatenated PEM-encoded file without any difficulty (using the SSLCACertificateFile directive), but I would prefer to be able to point to a directory rather than building one massive file.
I have followed the instructions in the httpd manual (and documented here) including making hashes of all the files as follows:
awk
commandFor each pem file, ran:
openssl x509 -noout -hash -in NAME-OF-CA-FILE
to get the hash
When I point httpd to that directory, I end up getting the following errors when I attempt to do client certificate validation:
AH02039: Certificate Verification: Error (20): unable to get local issuer certificate
AH02039: Certificate Verification: Error (19): self signed certificate in certificate chain
So it's like it isn't finding the intermediates and roots.
Again, this all works when using the combined PEM.
Any advice?
Did you make sure that your apache process has the rigths to read the files in the folder ?
When you use SSLCACertificateFile, the file is loaded during apache startup, with roots privileges.
When you're using SSLCACertificatePath, files are not loaded during startup.
I had the same problem, and setting correct rigths on the folder solved it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With