SSLProxyMachineCertificateFile - What am I doing wrong?

[Joe]

I'm at the point of pulling out my hair on this one and would very
much appreciate some help.

My configuration using Apache 2.0 is as follows:

NODE1(WebBrowser)-->NODE2(ProxyServer - mod_proxy)-->NODE3(WebServer)
(SSLClient)--> (SSLServer / SSLClient )--> (SSLServer)

NODE2 is also the CA (Certificate Authority).

In the NODE2 .CONF file...

SSLEngine on
SSLProxyEngine on

SSLCertificateFile /apache$common/openssl/crt/node2.crt
SSLCertificateKeyFile /apache$common/openssl/key/node2.key
SSLCACertificatePath /apache$common/openssl/crt/
SSLProxyMachineCertificateFile /apache$common/openssl/crt/???.???

SSLVerifyClient require
SSLVerifyDepth 10
SSLProxyVerify require

Notice the "???.???" in SSLProxyMachineCertificateFile. I'm not sure
what to
put here. I've tried about every combination of CRT files going by
what I've
read on the web. Is this supposed to be NODE2_ca.crt, NODE2.crt, or
NODE3.CRT?

Each time I start the APACHE server on NODE2 the error logs states;
"[Fri Jan 09 13:26:58 2004] [warn] Init: Oops, you want to request
client
authentication, but no CAs are known for verification!? [Hint:
SSLCACertificate*]". In the /apache$common/openssl/crt directory I do
have the NODE2_ca.crt file.

If someone can point me in the right direction on this one I would
sure appreciate it.

Thank you.
Joe

[Joe]

Well, I found what I need to do to get SSLProxyMachineCertificateFile
and SSLProxyMachineCertificatePath working. It works fine but if
someone sees something wrong please let me know. In my .CONF file...

# SSLProxyMachineCertificateFile - PEM-encoded client
# certificates and keys to be used by the proxy. Note: The
# certificate must be a file(s) that is composed of the concatenation
# of the client certificate(s) (e.g., node3.crt) and the corresponding
# client private key(s) (e.g., node3.key). As of Apache 2.0.47 there
# is no support for encrypted private keys so when you create the
# clients certificate/key do not encrypt. Use this directive
# alternatively or additionally to SSLProxyMachineCertificatePath.
# Note - From my testing I've come to the conclusion that
# SSLProxyMachineCertificateFile should be in a directory that
# only contains client certificates.
# To test SSLProxyMachineCertificateFile:
# 1) Concatenate client private key (node3.key) to signed cert
(node3.crt).
# For my testing I named this file node3crtandkey.crt.
# 2) Send this cert/key file to the proxy server to be placed in
# its directory for client certs.
# 3) Hash the cert.
# 4) Set SSLProxyMachineCertificatePath and/or File
#SSLProxyMachineCertificatePath /apache$common/openssl/crt/clientcrts
SSLProxyMachineCertificateFile
/apache$common/openssl/crt/clientcrts/node3crtandkey.crt

So, I was not doing two things...
1) I was not using a cert that also contained the private key.
2) For SSLProxyMachineCertificatePath to work I should specify a
directory that only contains the client cert(s).

Joe