I have a apache webserver with a public official x509 server certificate. Also i do want to use client authentication with a
self signed CA - signed -> intermediate certificate - signed -> client certificate
Also i added the line
SSLCACertificateFile <path>/ca.crt
into the apache config which works if i use client certificates signed directly by the ca.
The problem i am facing is that even tough this is working just fine by sigining the client certificate directly with the CA certficate, this does not work if i want zu sign the client certificate with the intermediate certificate.
first i created the CA certificate
openssl req -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -outform PEM -out ca.crt
then signed the intermediate certificate
openssl x509 -req -in intermediate.csr -CA ca.crt -CAkey ca.key -set_serial 100 -days 365 -outform PEM -out intermediate.crt
and then the client certificate
openssl x509 -req -in client.csr -CA intermediate.crt -CAkey intermediate.key -set_serial 101 -extensions client -days 365 -outform PEM -out client.crt
now if i want to check the chain this returns OK:
openssl verify -verbose -CAfile ca.crt intermediate.crt
but this does fail
openssl verify -CAfile ca.crt -untrusted intermediate.crt client.crt
because then it tells me: error 24 at 1 depth lookup:invalid CA certificate
if i sign the client certificate directly with the CA certificate then this works flawlessly.
What am i doing wrong? If i want to export the client certificate: what do i need to export? do i also need to export the intermediate .crt into the .p12?
