: How to determine the sequence of ordering certificates by browser? I did a Mutual Certificate Authentication implementation with OpenSSL and Apache Web Server on CentOS platform. To simple explanation

@Welton855

Posted in: #Authentication #Browsers #Centos #Https #SecurityCertificate

I did a Mutual Certificate Authentication implementation with OpenSSL and Apache Web Server on CentOS platform. To simple explanation see this diagram:




----------
| Root CA | // Self-Signed Certificate
----------
|
----------
| SiteA CA | // Intermediate Certificate signed by Root CA
----------
| |
-------- --------
| Server1 | | Client1 | //Certificates signed by SiteA CA
-------- --------





in Apache Configuration I edited next:
make a chain crt:

sudo cat server.crt rootca.crt serverCA.crt > server_chain.crt


edit ssl config :

sudo vi /etc/httpd/conf.d/ssl.conf


edit those four lines :

SSLCertificateFile /etc/pki/tls/server.crt
SSLCertificateKeyFile /etc/pki/tls/server.key
SSLCertificateChainFile /etc/pki/tls/server_chain.crt
SSLCACertificateFile /etc/pki/tls/rootca.crt


and to make it (two-way) Mutual Authentication :

SSLVerifyClient require
SSLVerifyDepth 10


Then : restart apache=httpd service :

sudo service httpd restart


you know that you should give your browser root ca certificate and client certificate and while I was doing a Testing I did next:

I removed rootca.crt from browser and noticed that Firefox and Chrome ask me for client certificate confirmation before telling me that the server is not a trusted, while Opera browser acts right, first tell me that it's not trusted and then show me Client certificate information.

I was told that in IIS there's an option for telling the web server which one to ask about first, but I couldn't find that option here in Apache.
Can anybody help ?

Vote Up Vote Down

Login to post a comment!