All=2C

I am working in an environment utilizing a PKI consisting of several =

Root and Intermediate Certificate Authorities=2E In order to reduce the =

overhead when requiring client authentication using digital =

certificates=2C I am using the following two directives=3A

SSLCACertificatePath =96 Used for Root and Intermediate CAs
SSLCARevocationPath =96 Used to Process Certificate Revocation Lists

I=92ve yet to encounter a version of Apache and Mod=5FSSL performing prop=
er =

path validation=2E If a user presents a certificate that is revoked=2C bu=
t =

not included in the directory containing all the PEM/Base64 encoded CRL =

files and associated symbolic links=2C Apache allows access=2E =


If a user presents a certificate issued from an Intermediate =

Certificate Authority that is not included in the directory containing =

all the Root and Intermediate CA certificates in PEM/Base64 encoded =

format and associated symbolic links=2C he/she is allowed access=2E

I would prefer the system to validate the entire chain and not allow =

access in the event a local CRL file or Intermediate CA certificate is =

not available=2E By default=2C IIS performs this path validation correctl=
y=2E =

If IIS does not have a current CRL file issued by each and every CA in =

the certificate path=2C the client is denied access=2E If IIS does not ha=
ve =

a certificate from each and every CA in the certificate path=2C the =

client is denied access=2E

I am trying to automate the process of updating the CA certificate =

directory and associated CRL directories by scheduling a job to run on =

a nightly basis=2E If Apache has a local CRL and CA certificate from each=
=

and every CA in the path used to issue the client certificates=2C then =

all checks are performed and the client is properly validated=2E =


I would prefer the system default to =93Closed=94 instead of =93Open=94 i=
n the =

event an Intermediate CA certificate is unavailable or no CRL file is =

available=2E Again=2C the system must have at least one CA certificate =

trusted and available locally=2C but no CRL files=2E

Note=3A I have issued a client certificate from a client certificate =

issued by on of the Intermediate CAs and Apache does deny access =

because the key usage of the client certificate does not allow it to be =

used as a Root CA and issue additional client certificates=2E I used =

OpenSSL in order to issue client certificates from a client =

certificate=2E This type of path validation seems to work on all the =

versions of Apache and Mod=5FSSL I=92ve tested=2E

Thanks
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org