sorry in advance, this may end up being a long and confused post; because that's where I am: I have been trying to do this for two days and I am confused :P
Context: I have a website (we'll call it www.mysite.com) and I have gotten a valid certificate from a major CA. HTTPS is working fine and the certificate is all kinds of valid.
Objective: I, now, want to issue certificates to the people I am authorizing to use my site so that I can add an extra layer of security to it and let Apache reject unauthorized users before they even see the result of the PHP site or have logged in with those credentials.
What I have done: I have followed at least three different tutorials and read a half a dozen more on how to issue these certificates but, in short, they fail to validate. Most of the tutorials have talked about establishing my own self-signed CA cert, and then using that cert's key to sign additional certificates requested by the users. I have tried this and both Firefox (version 19.02) and IE (version 8 :( ) fail to connect and I don't understand why anymore.
So specific questions:
1. Are the Apache commands wrong? when I include:
SSLEngine on
SSLCertificateFile /etc/path/to/www.mysite.com.crt
SSLCertificateKeyFile /etc/path/to/www.mysite.com.key
SSLCACertificateFile /etc/path/to/www.mysite.com.cabundle
SSLVerifyClient require
SSLVerifyDepth 10
in my httpd.conf file, the server, appropriately rejects visits that do not have a certificate. However, I have generated what I believe to be a valid certificate for the end user and it is still being rejected. If the files shown above are what were given to me by the major CA (VeriSign), then am I just creating a bad user certificate? What are those apache commands actually checking for?
2. How do the flags for openssl really work? I am creating the user's certificate with:
openssl ca -in ./path/to/usersrequest.csr -cert ./etc/path/to/www.mysite.com.crt -keyfile ./etc/path/to/www.mysite.com.key -out ./path/to/userscert.crt
Am I, perhaps, using the wrong key or something? Should I be using the public or private key that I got from VeriSign's certificate? If I understand what I have read correctly, I should be able to simply issue a new certificate to my end user, signed with the same key that is in my 'official' certificate and it should just work... but it's not :(
I have also tried:
openssl x509 -req -CA /etc/path/to/cert.pem -CAkey /etc/path/to/cert.pem -CAcreateserial -in usersrequest.csr -out user.crt
and I get an error that reads unable to load CA private key
... and I don't even know what that means.
In the end, I know these are probably n00b questions and the answer is staring me in the face, but I have been trying to learn about this subject and write the code for two days now and my brain is just fried... I will keep trying, but if anyone out there can point me in the right direction, I'd really appreciate it.
TIA, Kvorak