Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

SSL Client Authentication

ssl client certificate authentication apache

9:35 pm on Apr 14, 2014 (gmt 0)

New User

joined:Apr 14, 2014
posts: 2
votes: 0

Hello everyone,

I have been trying to set ssl client authentication with Apache and I am not sure what I am doing wrong...

I basically have a server certificate issued by GeoTrust/RapidSSL. For the normal ssl authentication I use the following configuration (and it works fine):

SSLEngine on 
SSLCertificateFile /etc/ssl/certs/my-domain.crt
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
SSLCertificateKeyFile /etc/ssl/private/private.pem

For the client authentication I created client certificate using the my-domain.crt and private.pem to sign it. Here is the openssl command:

openssl ca -config openssl.cnf -days 360 -in client.csr -out client.crt -keyfile private.pem -cert my-domain.crt -policy policy_anything

I created a certificate chain file by pasting my-domain.crt and then intermediate.crt into one whole my-domain-full.pem file.
And to the Apache configuration I added:

SSLVerifyClient optional 
SSLVerifyDepth 10
SSLCACertificateFile /etc/ssl/certs/my-domain-full.pem

I converted the client.crt into pkcs12 format and loaded it into the browser. Then I tried accessing my-domain and got the following error:
Peer does not recognize and trust the CA that issued your certificate. (Error code: ssl_error_unknown_ca_alert)

I hope you can see what I'm doing wrong... Thanks in advance for any hints!