Client certificate authentication - Apache2

Question

I'm trying to set up a client authentication for one of my app but for now, it's not successfull. I bought a Gandi wildcard ssl certificate for my domain *.example.com and here is the configuration on the apache2 server :

In /etc/apache2/ssl I have the following files :

• example.crt => certificate
• example.csr => certificate signing request
• example.key => private key
• example.pem => intermediate certificate (which gandi gave me)

Here is my virtualhost configuration :

<IfModule mod_ssl.c> <VirtualHost _default_:443> ServerName www.example.com ServerAdmin [email protected] DocumentRoot /var/www/example/ ErrorLog ${APACHE_LOG_DIR}/error-https.log CustomLog ${APACHE_LOG_DIR}/access-https.log combined SSLEngine on SSLCertificateFile /etc/apache2/ssl/example.crt SSLCertificateKeyFile /etc/apache2/ssl/example.key SSLCACertificateFile /etc/apache2/ssl/example.pem SSLVerifyClient require SSLVerifyDepth 2 SSLOptions +StdEnvVars </VirtualHost> 

Now, here is the process I went through to create my client certificate :

On the server :

openssl genrsa -out client.key 2028 openssl req -new -key client.key -out client.csr openssl x509 -sha256 -req -in client.csr -out client.crt -CA /etc/apache2/ssl/example.crt -CAkey /etc/apache2/ssl/example.key -CAcreateserial -days 1095 

To make sure this works, I then transfered my "client.*" files on another private server and created this php script with curl to test the connection :

<?php $url = "https://www.example.com/api/client/"; $keyFile = "/etc/apache2/conf/certs/client.key"; $certFile = "/etc/apache2/conf/certs/client.crt"; $certPass = ""; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_VERBOSE, true); curl_setopt($ch, CURLOPT_SSLKEY, $keyFile); curl_setopt($ch, CURLOPT_SSLCERT, $certFile); curl_setopt($ch, CURLOPT_SSLCERTPASSWD, $certPass); curl_setopt($ch,CURLOPT_PUT,true); curl_setopt($ch,CURLOPT_RETURNTRANSFER,true); curl_setopt($ch,CURLOPT_HEADER,true); $result=curl_exec($ch); curl_close($ch); var_dump($result); die(); 

And this is the result :

* Trying IP.AD.DR.RES ... * TCP_NODELAY set * Connected to www.example.com (IP.AD.DR.RES) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca * Curl_http_done: called premature == 1 * stopped the pause stream! * Closing connection 0 bool(false) 

So here is where I'm stuck with my problem. In the curl's debug message, I can see that my certificate authority is unknown. These two lines seem odd :

* CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs 

Because it doesn't match my virtualhost configuration.

Thank you for your help !

Answer 1

I am sure this has already been answered a few many times already..

The CAfile and CApath are the root CA file and its path respectively used by curl. Basically this contains all the root CA files that would be checked against whenever your client is authenticating to an external system.

Check the CA (Certifying authority) for the client certificate that you're using to authenticate to the Apache server. Then, you need to check if that's present as part of your CA list (the CAfile).

Answer 2

You gave Apache the wrong files to work with. The SSLCertificateFile should point to the certificate your server will present to anyone speaking SSL, so in your case, it should be the example.pem file. The SSLCertificateKeyFile is the key file the server should use for SSL communication, so it should be the key for the example.pem certificate. These has nothing to do with client authentication whatsoever.

The SSLCACertificateFile is the CA certificate which should issue the clients' certificates, so it should be the example.crt file in your case.