2

My company purchased a wildcard certificate from a vendor. This certificate was successfully configured with Apache 2.2 to secure a subdomain. Everything on the SSL side works.

Now I'm required to generate x509 client-side certificates to issue for this subdomain. I'm following along this page: (http://www.vanemery.com/Linux/Apache/apache-SSL.html), starting with "Creating Client Certificates for Authentication".

I've generated the p12 files and successfully imported them into Firefox. When I browse to the site now, I get an error in FireFox that says "The connection to the server was reset while the page was loading."

I think my problem is coming from not signing the client-side correctly. When I sign the client-side certificate, I'm using the PEM file (RapidSSL_CA_bundle.pem) from RapidSSL (who we bought the certificate from) for the -CA argument. For the -CAkey argument, I'm using the private key of the server. Is this correct?

Improve this question

1 Answer 1

Reset to default
3

Could be that you are using client certs with the wrong key usage. Please verify that your key usage has:

  • Critical
  • Signing
  • Non-repudiation
  • Key Encipherment

If you are using extended key usage, check for

  • Not Critical
  • TLS Web Client Authentication
  • E-mail protection

On the server side verify that you have all the ca cert that was used to sign the client cert and the relevant pki hierarchy is set up. In a typical apache setup, this would look like:

<VirtualHost *:443> ServerAdmin [email protected] DocumentRoot /var/www/ ServerName service.example.net ScriptAlias /cgi-bin/ /var/www/cgi-bin/ <Directory "/var/www/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> <Directory "/var/www/"> Options Indexes MultiViews FollowSymLinks AllowOverride None </Directory> SSLEngine on SSLOptions +StdEnvVars SSLCertificateFile /usr/local/ssl/certs/Server.crt SSLCertificateKeyFile /usr/local/ssl/private/Server.key SSLCACertificateFile /usr/local/ssl/certs/caRoot.cacert.pem SSLVerifyClient require ErrorLog logs/service.example.net-443-error_log LogLevel info CustomLog logs/service.example.net-443-access.log combined

Finally, you can try debug with good old openssl 

openssl s_client -connect server.example.net:443 -CAfile ../ca/caRoot.crt -cert client-Access.crt -key client-Access.key -showcerts

or curl

curl -kv --key client-Access.key --cert client-Access.crt --cacert ../ca/caRoot.crt https://server.example.net/

Good luck!

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.