How to trust a 'root' certificate

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

How to trust a 'root' certificate

Tammany, Curtis
Hello-

I am running Apache 2.2.22 with OpenSSL 1.0.1 on Windows (XP for dev and
server 2003 for production)

I require client certificates.

I am getting "FAILED:unable to get local issuer certificate" errors in my
log file from Windows 7 clients. Digging suggested that I check the
intermediate certificates that I have on the server with the openssl verify
command which returned "error 18 at 0 depth lookup:self signed certificate"

Running openssl version -d returns "OPENSSLDIR: "c:/openssl-1.0.1/ssl". That
folder does not exist on my servers.

I think I need to get OpenSSL to trust the self signed certificate. What
steps do I take?

Thank you.

Curtis N. Tammany
Lead Web Application Developer, National Security & Defense
Systems Engineering and Technology
URS
16156 Dahlgren Road
Dahlgren, Virginia, 22448
[hidden email]
540.663.9507



smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

How to trust a 'root' certificate

Tammany, Curtis
Hello-

I am running Apache 2.2.22 with OpenSSL 1.0.1 on Windows (XP for dev and
server 2003 for production)

The site requires client (CAC) certificates.

I am getting "FAILED:unable to get local issuer certificate" errors in my
log file from Windows 7 clients. Digging suggested that I check the
intermediate certificates that I have on the server with the openssl verify
command which returned "error 18 at 0 depth lookup:self signed certificate"

Running openssl version -d returns "OPENSSLDIR: "c:/openssl-1.0.1/ssl". That
folder does not exist on my servers.

I think I need to get OpenSSL to trust the self signed certificate. What
steps do I take?

Thank you.

Curtis N. Tammany
Lead Web Application Developer, National Security & Defense
Systems Engineering and Technology
URS
16156 Dahlgren Road
Dahlgren, Virginia, 22448
[hidden email]
540.663.9507


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to trust a 'root' certificate

Bernhard Fröhlich-2
Am 26.04.2012 15:15, schrieb Tammany, Curtis:

> Hello-
>
> I am running Apache 2.2.22 with OpenSSL 1.0.1 on Windows (XP for dev and
> server 2003 for production)
>
> The site requires client (CAC) certificates.
>
> I am getting "FAILED:unable to get local issuer certificate" errors in my
> log file from Windows 7 clients. Digging suggested that I check the
> intermediate certificates that I have on the server with the openssl verify
> command which returned "error 18 at 0 depth lookup:self signed certificate"
>
> Running openssl version -d returns "OPENSSLDIR: "c:/openssl-1.0.1/ssl". That
> folder does not exist on my servers.
>
> I think I need to get OpenSSL to trust the self signed certificate. What
> steps do I take?
>
> Thank you.

This is an Apache question and is only loosely connected to OpenSSL.

I'll take the liberty to forward you to CAcert.org's WiKi which has a
page explaining on how to configure Apache for client certificates at
http://wiki.cacert.org/ApacheServerClientCertificateAuthentication
It may not be exactly what you need but might give you the right ideas.

Otherwise Apache's support groups may be able to help you in more detail.

I hope this helps a bit,
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to trust a 'root' certificate

Tammany, Curtis
I don't see this as an Apache issue. The site has required client certs for years now and Apache was configured to require client certificates.

I have intermediate DOD certs on the server but OpenSSL sees my DoD Root certificate as un-trusted self-signed so the chain is broken. From http://www.openssl.org/support/faq.html:

" 5. Why does <SSL program> fail with a certificate verify error?
This problem is usually indicated by log messages saying something like "unable to get local issuer certificate" or "self signed certificate". When a certificate is verified its root CA must be "trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues similar error messages: check the verify(1) program manual page for more information."

How can I get OpenSSL to "trust" my DOD root certificate?



Curtis


-----Original Message-----
From: Bernhard Fröhlich [mailto:[hidden email]]
Sent: Thursday, April 26, 2012 09:39
To: [hidden email]; Tammany, Curtis
Subject: Re: How to trust a 'root' certificate

Am 26.04.2012 15:15, schrieb Tammany, Curtis:

> Hello-
>
> I am running Apache 2.2.22 with OpenSSL 1.0.1 on Windows (XP for dev and
> server 2003 for production)
>
> The site requires client (CAC) certificates.
>
> I am getting "FAILED:unable to get local issuer certificate" errors in my
> log file from Windows 7 clients. Digging suggested that I check the
> intermediate certificates that I have on the server with the openssl verify
> command which returned "error 18 at 0 depth lookup:self signed certificate"
>
> Running openssl version -d returns "OPENSSLDIR: "c:/openssl-1.0.1/ssl". That
> folder does not exist on my servers.
>
> I think I need to get OpenSSL to trust the self signed certificate. What
> steps do I take?
>
> Thank you.

This is an Apache question and is only loosely connected to OpenSSL.

I'll take the liberty to forward you to CAcert.org's WiKi which has a
page explaining on how to configure Apache for client certificates at
http://wiki.cacert.org/ApacheServerClientCertificateAuthentication
It may not be exactly what you need but might give you the right ideas.

Otherwise Apache's support groups may be able to help you in more detail.

I hope this helps a bit,
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to trust a 'root' certificate

Bernhard Fröhlich-2
Am 26.04.2012 15:58, schrieb Tammany, Curtis:
> I don't see this as an Apache issue. The site has required client certs for years now and Apache was configured to require client certificates.
>
> I have intermediate DOD certs on the server but OpenSSL sees my DoD Root certificate as un-trusted self-signed so the chain is broken. From http://www.openssl.org/support/faq.html:
>
> " 5. Why does<SSL program>  fail with a certificate verify error?
> This problem is usually indicated by log messages saying something like "unable to get local issuer certificate" or "self signed certificate". When a certificate is verified its root CA must be "trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues similar error messages: check the verify(1) program manual page for more information."
>
> How can I get OpenSSL to "trust" my DOD root certificate?

Hmm, seems like we both are a bit wrong... :-)
You have to tell Apache about the trusted CA certificates, so that
Apache can tell OpenSSL where to look for them.

The Apache directives for this are SSLCACertificatePath if you are using
multiple certificate files in a directory, or SSLCACertificateFile if
you use a single file with all CA certificates concatenated. See
http://www.apache-ssl.org/docs.html#SSLCACertificateFile. That's the
Apache part.

The OpenSSL part is that your SSLCACertificatePath or
SSLCACertificateFile must contain the certificates of all your trusted
CAs, including the intermediate certificates in a specific format.
(N.B.: The intermediate certificates are not essential if your clients
can provide them during SSL handshake, but it's more reliable if you add
them to your server's list.)

For more details on how the file or directory have to look like see for
example http://www.openssl.org/docs/apps/verify.html or
http://www.openssl.org/docs/apps/s_server.html

Is this closer to the mark?
Ted
;)

>
>
>
> Curtis
>
>
> -----Original Message-----
> From: Bernhard Fröhlich [mailto:[hidden email]]
> Sent: Thursday, April 26, 2012 09:39
> To: [hidden email]; Tammany, Curtis
> Subject: Re: How to trust a 'root' certificate
>
> Am 26.04.2012 15:15, schrieb Tammany, Curtis:
>> Hello-
>>
>> I am running Apache 2.2.22 with OpenSSL 1.0.1 on Windows (XP for dev and
>> server 2003 for production)
>>
>> The site requires client (CAC) certificates.
>>
>> I am getting "FAILED:unable to get local issuer certificate" errors in my
>> log file from Windows 7 clients. Digging suggested that I check the
>> intermediate certificates that I have on the server with the openssl verify
>> command which returned "error 18 at 0 depth lookup:self signed certificate"
>>
>> Running openssl version -d returns "OPENSSLDIR: "c:/openssl-1.0.1/ssl". That
>> folder does not exist on my servers.
>>
>> I think I need to get OpenSSL to trust the self signed certificate. What
>> steps do I take?
>>
>> Thank you.
> This is an Apache question and is only loosely connected to OpenSSL.
>
> I'll take the liberty to forward you to CAcert.org's WiKi which has a
> page explaining on how to configure Apache for client certificates at
> http://wiki.cacert.org/ApacheServerClientCertificateAuthentication
> It may not be exactly what you need but might give you the right ideas.
>
> Otherwise Apache's support groups may be able to help you in more detail.
>
> I hope this helps a bit,
> Ted
> ;)
>
> --
> PGP Public Key Information
> Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
> Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]


--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to trust a 'root' certificate

Peter Sylvester-3
In reply to this post by Tammany, Curtis
On 04/26/2012 03:58 PM, Tammany, Curtis wrote:
> I don't see this as an Apache issue. The site has required client certs for years now and Apache was configured to require client certificates.
>
> I have intermediate DOD certs on the server but OpenSSL sees my DoD Root certificate as un-trusted self-signed so the chain is broken. From http://www.openssl.org/support/faq.html:

>
> " 5. Why does<SSL program>  fail with a certificate verify error?
> This problem is usually indicated by log messages saying something like "unable to get local issuer certificate" or "self signed certificate". When a certificate is verified its root CA must be "trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues similar error messages: check the verify(1) program manual page for more information."
>
> How can I get OpenSSL to "trust" my DOD root certificate?
>
>
In general all certificates that you have in the apache as client CAs
are trusted but they need
to chain up to some root which must be part of the set.

If the certficates are in a directory, and you have changed the openssl
version, you
might want to rehash. The hash logic had been changed at some version.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to trust a 'root' certificate

Tammany, Curtis
In my htaccess file I have the following:
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +ExportCertData

In my httpd.conf file, I have the following:
SSLCACertificatePath conf/certs/
SSLCACertificateFile conf/certs/DOD_EMAILCerts.crt

DOD_EMAILCerts.crt contains the root cert plus many intermediates.

The site has been working fine for the most part for years. We are tracking SSL_CLIENT_VERIFY in our log file and with some Windows 7 clients, they cannot connect and we are seeing " FAILED:unable to get local issuer certificate" in the log.

As I said in an earlier email, used the openssl version -d command and it responded: "OPENSSLDIR: "c:/openssl-1.0.1/ssl" That folder does not exist.
Running openssl verify DOD_EMAILCerts.crt (with the cert file in the bin folder) returns:
DOD_EMAILCerts.crt: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 2
error 18 at 0 depth lookup:self signed certificate
OK

From http://www.madboa.com/geek/openssl/ I read:
" error 18 at 0 depth lookup:self signed certificate. Unless you make an exception, OpenSSL won’t verify a self-signed certificate."

They also go on to say:
" How do I get OpenSSL to recognize/verify a certificate?
Put the file that contains the certificate you’d like to trust into the certs directory discussed above. Then create the hash-based symlink. Here’s a little script that’ll do just that.

#!/bin/sh
#
# usage: certlink.sh filename [filename ...]

for CERTFILE in $*; do
  # make sure file exists and is a valid cert
  test -f "$CERTFILE" || continue
  HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
  test -n "$HASH" || continue

  # use lowest available iterator for symlink
  for ITER in 0 1 2 3 4 5 6 7 8 9; do
    test -f "${HASH}.${ITER}" && continue
    ln -s "$CERTFILE" "${HASH}.${ITER}"
    test -L "${HASH}.${ITER}" && break
  done
done"

That is for Linux.
How do I get OpenSSL to recognize/verify a certificate on Windows XP/2003? (like step-by-step instructions).

Thanks.

Curtis


-----Original Message-----
From: Peter Sylvester [mailto:[hidden email]]
Sent: Thursday, April 26, 2012 10:40
To: [hidden email]
Cc: Tammany, Curtis; Bernhard Fröhlich
Subject: Re: How to trust a 'root' certificate

On 04/26/2012 03:58 PM, Tammany, Curtis wrote:
> I don't see this as an Apache issue. The site has required client certs for years now and Apache was configured to require client certificates.
>
> I have intermediate DOD certs on the server but OpenSSL sees my DoD Root certificate as un-trusted self-signed so the chain is broken. From http://www.openssl.org/support/faq.html:

>
> " 5. Why does<SSL program>  fail with a certificate verify error?
> This problem is usually indicated by log messages saying something like "unable to get local issuer certificate" or "self signed certificate". When a certificate is verified its root CA must be "trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues similar error messages: check the verify(1) program manual page for more information."
>
> How can I get OpenSSL to "trust" my DOD root certificate?
>
>
In general all certificates that you have in the apache as client CAs
are trusted but they need
to chain up to some root which must be part of the set.

If the certficates are in a directory, and you have changed the openssl
version, you
might want to rehash. The hash logic had been changed at some version.



:��I"Ϯ��r�m���� (���Z+�K�+����1���x ��h���[�z�(���Z+� ��f�y������f���h��)z{,���
Reply | Threaded
Open this post in threaded view
|

Re: How to trust a 'root' certificate

Peter Sylvester-3
On 04/26/2012 05:20 PM, Tammany, Curtis wrote:
> In my htaccess file I have the following:
> SSLRequireSSL
> SSLVerifyClient require
> SSLVerifyDepth 5
> SSLOptions +ExportCertData
>
> In my httpd.conf file, I have the following:
> SSLCACertificatePath conf/certs/
> SSLCACertificateFile conf/certs/DOD_EMAILCerts.crt
I am not sure which one takes precedence, but having
both is probaly not ok with apache.  Try :

    cd conf/certs/
    c_rehash

That's for linux. But for windows, the openssl logic is
the same, it open the file. opensll doesn't know whether
it is a link or a file.

So ....

>
> DOD_EMAILCerts.crt contains the root cert plus many intermediates.
>
> The site has been working fine for the most part for years. We are tracking SSL_CLIENT_VERIFY in our log file and with some Windows 7 clients, they cannot connect and we are seeing " FAILED:unable to get local issuer certificate" in the log.
>
> As I said in an earlier email, used the openssl version -d command and it responded: "OPENSSLDIR: "c:/openssl-1.0.1/ssl" That folder does not exist.
> Running openssl verify DOD_EMAILCerts.crt (with the cert file in the bin folder) returns:
> DOD_EMAILCerts.crt: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 2
> error 18 at 0 depth lookup:self signed certificate
> OK
with that command you are verifying the first cert in that file, and
since it
it is probably self signed, you cannot do that.

If, on the other hand you happen to have an intermediate as the
beginning you get the other cannot find issuer message.



>  From http://www.madboa.com/geek/openssl/ I read:
> " error 18 at 0 depth lookup:self signed certificate. Unless you make an exception, OpenSSL won’t verify a self-signed certificate."
>
> They also go on to say:
> " How do I get OpenSSL to recognize/verify a certificate?
> Put the file that contains the certificate you’d like to trust into the certs directory discussed above. Then create the hash-based symlink. Here’s a little script that’ll do just that.
>
> #!/bin/sh
> #
> # usage: certlink.sh filename [filename ...]
>
> for CERTFILE in $*; do
>    # make sure file exists and is a valid cert
>    test -f "$CERTFILE" || continue
>    HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
>    test -n "$HASH" || continue
>
>    # use lowest available iterator for symlink
>    for ITER in 0 1 2 3 4 5 6 7 8 9; do
>      test -f "${HASH}.${ITER}"&&  continue
>      ln -s "$CERTFILE" "${HASH}.${ITER}"
>      test -L "${HASH}.${ITER}"&&  break
>    done
> done"
>
> That is for Linux.
> How do I get OpenSSL to recognize/verify a certificate on Windows XP/2003? (like step-by-step instructions).
... instead of ln -s you can create a copy ...
for more detailed instruction, I'll can charge you 100EUR per line. :-)
...


... Just put all the CA certificates into one file and remove the

SSLCACertificatePath

and just keep the

SSLCACertificateFile


> Thanks.
>
> Curtis
>
>
> -----Original Message-----
> From: Peter Sylvester [mailto:[hidden email]]
> Sent: Thursday, April 26, 2012 10:40
> To: [hidden email]
> Cc: Tammany, Curtis; Bernhard Fröhlich
> Subject: Re: How to trust a 'root' certificate
>
> On 04/26/2012 03:58 PM, Tammany, Curtis wrote:
>> I don't see this as an Apache issue. The site has required client certs for years now and Apache was configured to require client certificates.
>>
>> I have intermediate DOD certs on the server but OpenSSL sees my DoD Root certificate as un-trusted self-signed so the chain is broken. From http://www.openssl.org/support/faq.html:
>> " 5. Why does<SSL program>   fail with a certificate verify error?
>> This problem is usually indicated by log messages saying something like "unable to get local issuer certificate" or "self signed certificate". When a certificate is verified its root CA must be "trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues similar error messages: check the verify(1) program manual page for more information."
>>
>> How can I get OpenSSL to "trust" my DOD root certificate?
>>
>>
> In general all certificates that you have in the apache as client CAs
> are trusted but they need
> to chain up to some root which must be part of the set.
>
> If the certficates are in a directory, and you have changed the openssl
> version, you
> might want to rehash. The hash logic had been changed at some version.
>
>
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to trust a 'root' certificate

Tammany, Curtis
>
> ... Just put all the CA certificates into one file and remove the
>
> SSLCACertificatePath
>
> and just keep the
>
> SSLCACertificateFile

All of the certs are in one file... with the root cert being the first one in the file.
They all begin with -----BEGIN CERTIFICATE-----
and end with -----END CERTIFICATE-----
How is removing the SSLCACertificatePath going to get OpenSSL to verify/trust the root cert?

SSLCACertificateFile conf/certs/DOD_EMAILCerts.crt
The full path would be C:\Apache\conf\certs

Running openssl version -d returns "OPENSSLDIR: c:/openssl-1.0.1/ssl".

Do I need to have DOD_EMAILCerts.crt in BOTH folders?


:��I"Ϯ��r�m���� (���Z+�K�+����1���x ��h���[�z�(���Z+� ��f�y������f���h��)z{,���
Reply | Threaded
Open this post in threaded view
|

RE: How to trust a 'root' certificate

Tammany, Curtis
They are not test certificates. No- I cannot send them.
Sorry.

Curtis

From: Sergio NNX [mailto:[hidden email]]
Sent: Thursday, April 26, 2012 14:07
To: Tammany, Curtis
Subject: RE: How to trust a 'root' certificate

> Running openssl version -d returns "OPENSSLDIR: c:/openssl-1.0.1/ssl".
>
> Do I need to have DOD_EMAILCerts.crt in BOTH folders?

Ciao Curtis.

Are those certs 'test' certs? I'm also using Apache and OpenSSL here and I was wondering if you could send me those certs and i can test them right now?

Cheers.

Sergio.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]