Client SSL with Self Signed CA not working

icarus picture icarus · Aug 13, 2010 · Viewed 16.2k times · Source

I have been struggling with an SSL problem for more than 1 month.

We have used openssl to generate our own CA, server and client certificates. We have also enable "SSLrequire" on the Apache web server (in htaccess this may be wrong), which means that anyone trying to connect through https on the server needs to present a valid certificate

The step are as follows;

  • generate the CA key
  • generate the CA CSR
  • sign the CA CSR with the CA Key

so we have our own CA which is used to sign our server and client certificates.

next step

  • generate server key
  • generate server CSR
  • sign server CSR with CA Key

So we have our server certificate & server private key which we installed succesfully on the server

Next we

  • generate client key
  • generate client CSR
  • sign client CSR with CA Key

We then distribute the client certificate to our users together with the CA certificate. Both were install in their browsers.

When trying to connect we got the "Peer does not recognize and trust the CA that issued your certificate. " error.

We identified the problem being that the self signed CA certificate was not installed on the server. Normally the server will present a list of trusted CA to the device trying to connect to it and the device will have to send a certificate that has been signed by any of the CAs' the server has presented. But since our self signed CA certificate was not installed on the server, the browser could present a certificate that would be acceptable by the server.

So we went on the install the CA cert on the server - control panel Hsphere.

We took the content of the ca certificate and copied it in the "Certificate Authority File" textarea on the server and the server wouldn't accept it everytime complaining "Failed to update SSL Config Different key and certificate"

The CA certificate has been signed by itself so how can the server say that the certificate and key are different.

We also tried to copy the content of both the CA certificate file and the CA key file into the "Certificate Authority File" textarea, but that also wouldn't work.

As i said we have been struggling with that for more than one month. If anyone can help that would be really appreciated. If we have to pay for the service please let us know.

Thanks in advance.

Answer

Bruno picture Bruno · Aug 13, 2010

(Perhaps https://serverfault.com/ would be a better place for this question.)

Here are a few options you can use in the Apache Httpd configuration (I'm not sure how this is mapped to your configuration panel).

SSLCertificateFile      /etc/ssl/certs/host.pem
SSLCertificateKeyFile   /etc/ssl/private/host.key
SSLCACertificatePath    /etc/ssl/certs/trusteddir
#SSLCACertificateFile   /etc/ssl/certs/trustedcert.pem
#SSLCADNRequestFile     /etc/ssl/certs/advertisedcas.pem

SSLCertificateFile and SSLCertificateKeyFile are the basic requirements to enable SSL on your server.

Because you want client-certificate authentication, you need to configure one of SSLCACertificatePath (for a directory) or SSLCACertificateFile (for a file) to say which CAs you want to trust, so add you CA certificate there. These should be files in the PEM format. Any certificate in there will be considered as trusted (although it may need to have the CA basic constraint, I can't remember, that's quite standard if you've generated a root CA certificate yourself anyway).

In addition to this, you can put certificates in a SSLCADNRequestFile. This shouldn't be necessary, as it's populated automatically from the SSLCACertificatePath or SSLCACertificateFile certificate directives, but if you want more control on the list of CAs the server advertises it may accept, that's where to do it. Just to clarify, this is not what manages the trust in client certificates, but just what the server advertises it may trust, so you still need SSLCACertificatePath or SSLCACertificateFile. Perhaps you "Certificate Authority File" option in your configuration panel controls that and not one of the other two options.

One way to debug this is to do this one the command line:

echo | openssl s_client -showcerts -connect www.your.host.example:443

This should list the certificate chain you present first (it would be good for it to present the full chain up to the CA, as some clients seem to need it sometimes, as far as I remember). Then, it should list the CAs it's willing to accept for client-certificate authentication, or No client certificate CA names sent otherwise (in which case there's a problem with one of the directives mentioned above). This will give you at least an indication of how SSLCADNRequestFile or SSLCACertificatePath/SSLCACertificateFile have been configured (although it's the last two that matter).