How to generate a client certificate using a third party CA-NOT Self Signed CA

Question

I am trying to trying to export a client certificate for use with a web browser.

The goal is to restrict access using the <Location> directive to the admin area. I have seen numerous tutorials on using self signed CAs. How would you do this using a third party?

1) Do I need to include the CA in the client pfx if it is a trusted root CA? I have seen both examples.

Without CA:

openssl pkcs12 -export -inkey KEYFILENAME -in CERTFILEFILENAME -out XXX.pfx

With CA:

openssl pkcs12 -export  -in my.crt- inkey my.key -certfile my.bundle -out my.pfx

2) Do I need to still include SSLCACertificateFile for trusted CA in the httpd.conf setup?

SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt
<Location /secure/area>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>

http://www.modssl.org/docs/2.8/ssl_howto.html#ToC8

Answer 1

You can not issue client certificates with third party CA signed certificate. You have to have self signed CA for issuing of client certificates and specify this CA as SSLCACertificateFile

Sample: SSLCertificateFile /etc/apache2/ssl/apache.cer # site certificate signed by verisign SSLCertificateKeyFile /etc/apache2/ssl/apache.key # site key for certificate signed by verisign SSLCACertificateFile /etc/apache2/ssl/apachelca2.pem # your self signed CA

note that apachelca2.pem has both key and certificate in it... command lines to issue client certificates:

openssl req -config /usr/share/apache2/ssleay.cnf -new -key client.key -out client.csr

openssl x509 -req -days 365 -CA /etc/apache2/ssl/apachelca2.pem -CAkey /etc/apache2/ssl/apachelca2.pem -CAcreateserial -in client.csr -extfile /usr/share/apache2/ssleay.cnf -extensions v3_req -out client.crt