[TriLUG] SSL and browser (client) certificates

Matt Flyer matt at noway2.thruhere.net
Sun Jan 23 15:01:44 EST 2011


I have obtained an SSL certificate from startSSL and received the
certificate and key file.  I was able to successfully import these into
Apache and bring up web pages that the browser recognizes without
warnings.  I would like to take this a step further and create 'client'
certificates that Apache will recognize for authentication to permit
access to secure pages.

My understanding is that you generate a key and certificate request.
You then get this certificate request 'signed' by the certificate
authority using the private key.   This is where I am having
difficulties and for the life of me I can't figure out how to do this.
I downloaded the certificate authority .pem files and the intermediate
chain file from startSSl and referenced them in my apache config like
this:
SSLCertificateFile /etc/apache2/ssl/startssl/site-cert.crt
SSLCertificateKeyFile /etc/apache2/ssl/startssl/site-key.key
SSLCertificateChainFile /etc/apache2/ssl/startssl/sub.class1.server.ca.pem
SSLCACertificateFile /etc/apache2/ssl/startssl/ca.pem

I then require SSL Level 1 verification on the page and get prompted for
the certificate.  Firefox provides the option of the one that startSSL
uses to authenticate your browser as the only option and this gives me
the following error:SSL peer had some unspecified issue with the
certificate it received.  (Error code:
ssl_error_certificate_unknown_alert)

If I remove the SSL Cert Chain and Cert file from the declaration (last
two lines above), the site will accept an earlier certificate attempt
that I created with a self signed authority (??).  

It seems to me that if the certificate is signed by the private key,
that there would be a mechanism to generate the certificate request and
have it signed.  Unfortunately, I can't seem to find this.  I tried
creating a pk12 certificate and giving my certificate and key, which I
then imported into the browser, but this doesn't seem to do anything
either.

Can anyone tell me how do I create a browser certificate using the
vendor provided tools? 






More information about the TriLUG mailing list