Client certificates and Apache

Don't think so, both Firefox 3.5.1 and IE8 are behaving this way.

I know at one client I did some work at, they had a client side certificate for authentication in IE7 and IE8 and they got prompted with that window so they could select the correct certificate to authenticate with. On a test machine with no cert installed it would still prompt except there would be no cert to choose from.

On my test machine here I have already imported the cert into IE and told it that its a trusted CA.

Its like theres a config issue here preventing this from working.
 
Any other suggestions I can try to get this to work?

The guides on the web make this sound so easy and yet I am really battling to even get the prompt screen to select a certificate to authenticate to a web site.

Any ideas?
 
I've done it a handful of times, but not in the last year or two. As far as I recall, it was easy and works very well. One of my customers uses it extensively for authenticating their customers. I'm out of ideas with your setup though, and am curious to know what the problem is if/when you find it.
 
I'm totally baffled too. The logfile doesn't really give enough detail to troubleshoot this.

Am gonna have to keep researching it. I really appreciate your help (and patience) aragon!
 
Any luck with this ?

I've run into the same problem, and am hoping you have figured out a workaround.

In case you haven't, I've found the following :
- I can easily get an entire Virtual Host to proper prompt for a client certificate
- I can get a given location within a non-ssl site to upgrade to client side SSL and prompt for a certificate

What I can't do is get a given location within a secured ( https ) site to prompt for a client cert. This, I believe is the same problem of the original post.

Oh, and I am using apache 2.2.14 on FreeBSD 7.2
 
Hi, I would be very interested if anyone knows a solution/explanation for the above problem. I am experiencing the exact same problem with Apache v2.2.14 on Win XP SP3.

I am testing on the localhost and place my config directives inside :-

Code: 
<VirtualHost _default_:443>
</VirtualHost>

All is well with SSL and certificates until I add in the line :-

Code: 
SSLVerifyClient require
ie. to require SSL Client Authentication.

This causes errors in all browsers IE8/FF/Chrome/Safari/Opera.

In FF the error is :-
Code: 
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)

I have created all certificates and entered all configuration directives correctly as described in the Apache documentation.

And, it makes no difference whether I install client certificate on the browser.

As OP said, a request dialog should be appearing asking user to select client certificate.

But its just not happening. I spent a lot of time looking into this, and would like to know what's up.

Then I can get on with my life OK?

And - Merry Xmas to all!
 
I have managed to solve this problem on my own system, and perhaps this is relevant to the OP's problem also - its not something that is mentioned in the Apache documentation.

One thing that makes client cert different from web site cert is that it must contain the private key. TLS handshake requires client to have the private key. A web site cert contains only public key<->identity association (plus digital signature).

This composite file has a standard format called PKCS#12 (.p12 file extension). To create such a file enter :-

openssl pkcs12 -export -out client_a.p12 -in client_a.crt -inkey client_a.key

where client_a.crt is the client cert and client_a.key is the private key file.

Then the browser can accept import of the file client_a.p12 as a 'Personal Certificate'. I tested this on Firefox/Chrome/Opera/IE8, and they all work, with the browser displaying a dialog for client cert choice on accessing the secure page.

However the client cert MUST be imported into the browser first, it will not just prompt when you first access the secure site.

HTH.
 
You must log in or register to reply here.
Back
Top