Combine Let's Encrypt Certificate with Self-Signed CA

Alexify · December 26, 2023, 2:34pm

Hi there,

I am trying to do a setup and I am not sure if it is possible at all but if not I was surprised.
It was already confirmed in other threads that Let's Encrypt certificates can NOT be used for client authentication. It is not 100 percent true because actually you can just install your actual server certificate on the client to make it working, but since the latter can just be downloaded from the browser as HTTPS certificate it would not make much sense.

What I am trying to do now is having a Virtual Host configuration in Apache HTTPD where I am using the Let's Encrypt certificate for HTTPS access in browser and a self-signed cert from a self signed CA for Client authentication.

I seem to struggle with the SSL config at all.
Please see the SSL part for my virtual host:

SSLCertificateFile /etc/apache2/certs/letsencrypt.crt
SSLCertificateKeyFile /etc/apache2/certs/letsencrypt.key

SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/apache2/certs/isrgrootx1.pem #This is the Root cert of Let's Encrypt but I wish to use a self signed here....

The thing is that apparently the SSLCACertificateFile directive has to be compatible with the other two directives SSLCertificateFile and SSLCertificateKeyFile. So for me this means I can not combine different certificate authorities each for HTTPS and Client Certificate.

Am I missing something? Any insights will be appreciated.
Thanks so much!

Alex

petercooperjr · December 26, 2023, 2:39pm

Well, they can just fine (they do have Client Authentication enabled), but there are reasons that it may not be what you want to do, sure.

Sure, that sounds like a good approach.

I don't know why you think that? SSLCACertificateFile is just for the client authentication, and SSLCertificateFile/SSLCertificateKeyFile is just for the server authentication, as far as I can tell. (I haven't configured Apache for client authentication myself, but I don't think it does anything weird in terms of configuring it.) What problem exactly are you running into?

Osiris · December 26, 2023, 4:44pm

AFAIK client authentication also requires the certificates corresponding private key? So just downloading the cert wouldn't suffice.

That said, I also believe using a private CA for client authentication is the way to go.

As far as I know, this is not the case. In fact, often the SSLCACertificateFile directive is mistakenly used as part of the server HTTPS part of TLS.

Please see SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.4 for more info about client authentication in Apache.

system · January 25, 2024, 4:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can Let's Encrypt be used to sign self-made certificates? Server	10	7823	April 12, 2017
Client certificate authentication	11	24164	December 9, 2018
SSL logon with X509 certificates Server	3	7248	March 1, 2019
Check if my server is compatilble in Lets Encrypt cert Server	5	2416	June 17, 2016
Converting from LetsEncrypt to self signed certificate for internal server Server	6	4370	February 12, 2017

Combine Let's Encrypt Certificate with Self-Signed CA

Related topics