Can't get Client certificates to work

[mcb30]

(2013-03-25 13:20)Viator Wrote:  I've recreated all keys and certs (the way I did describe in my first post) to be sure they match and then I tried to use ca.crt - same result. With client-certificate verification turned on, the client won't start but does so if the verification is switched off. :-(

Since I know that common-name can't be omitted and must be a valid address I also have tried using the clients ip in the client certificate with no result (even this would work, this would make problems in a real environment since I do not really know the clients ip)

The client certificate name doesn't really matter. You can use the SSLRequire directive for Apache to restrict which client certificates are accepted; I think the default is to accept any certificates which can be validated.

Quote:In the "docu" theres a cross certificate mentioned (openssl ca -config ca.cnf -extensions cross -notext -preserveDN -ss_cert startcom.crt -out startcom-cross.crt) but I do not know if an how this is important for me. How should I use this certificates?

Cross-signing is not relevant to your setup.

Have you checked the server log files to see if it contains any explanations?

Failing that, you could try capturing the traffic, and post the capture file somewhere I can fetch it.

Michael