0

I'm trying to set up httpd in front of jboss server, with client authentication using x.509 certs. I have followed this tutorial to create my own CA, server and client certs with openssl and it works. Now I'm trying to generate certs using ejbca tool and not openssl, but I fail. The certs I generate have something badly configured because when I try to use them I get ssl handshake error between apache and jboss, and in apache logs I can see

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server hello A

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1321): [client 10.55.160.194] Certificate Verification: depth: 2, subject: /CN=DEXXISCA/O=DEXXIS/C=FR, issuer: /CN=DEXXISCA/O=DEXXIS/C=FR

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1321): [client 10.55.160.194] Certificate Verification: depth: 1, subject: /CN=DEXXIS-RND-CA/O=DEXXIS/C=FR, issuer: /CN=DEXXISCA/O=DEXXIS/C=FR

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1321): [client 10.55.160.194] Certificate Verification: depth: 0, subject: /CN=centralbase/O=DEXXIS/C=FR, issuer: /CN=DEXXIS-RND-CA/O=DEXXIS/C=FR

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server certificate A

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server key exchange A

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server certificate request A

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server done A

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1660): Proxy client certificate callback: (centralbase:443) entered

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1705): Proxy client certificate callback: (centralbase:443) no client certificate found!?

Does anybody know what I need to configure in ejbca to get the certificate that will allow me to have ssl between apache and jboss (I'm using mod_proxy_http)?

Khaled
  • 36,533
  • 8
  • 72
  • 99
Nadir
  • 101
  • I have discovered that the problem is in the certificate chain lenght. If I generate certs that are signed with just one root CA everything works. If I create certs that are signed by some sub CA, and this sub CA is signed by root CA it fails. Could it be an apache problemm, that it does not work well with CA chain? – Nadir Jan 08 '13 at 09:44

1 Answers1

0

Ok, I solved the problem. It appeared that ejbca generated jks files without all CA certs (just the root CA) - that's why when subCA was used it did not work. After fixing the server jks file everything is ok.

Nadir
  • 101