iTP Secure WebServer System Administrators Guide (Version 7.5+)
1. Builds an internal certificate chain using what the Web client has returned.
2. Attempts to back-build the internal certificate chain by retrieving issuer certificates from the
certificate database and adding them to the internal certificate chain. The chain is built until
the server either retrieves a certificate that is marked as root from the database or it cannot
find an issuer of a certificate on the chain in the database.
3. Verifies each certificate in the chain, starting with the leaf, to check that the chain is
well-formatted, is in its validity period, follows the Basic Constraints and Key Usage extensions
rules, and has a valid signature that was issued by its successor in the chain.
4. Stores the results of this verification in the various Tool Command Language/Common Gateway
Interface (Tcl/CGI) variables.
5. Appends the appropriate log messages to the Extended Log File (ELF) entry.
The server's action depends on its specific configuration, as shown in the list of variable settings
in “Using the -requestauth Option” (page 73).
NOTE: All X.509v1 certificates (root, non-root) are considered obsolete. The client or server
certificates using MD5 hashing algorithm are considered insecure. To use these certificates, specify
the -requestauth option instead of the -requireauth option. HP does not recommend the
use of X.509v1 certificates.
Using the -requireauth Option
When you set the -requireauth option, and the Web client supplies an invalid certificate (for
example, if the certificate does not exist, contains an error, is expired, or is issued by a CA that
is unknown to the server), the server always refuses the connection request from the Web client,
and then logs error messages to the error and extended log files.
When the Web client supplies a valid certificate, the server allows the connection and sets the
HTTPS_CLIENT_STATUS variable to valid. The server also sets all the other HTTPS_CLIENT
Tcl/CGI variables at the same time. For information about these Tcl/CGI variables, see “Passing
CGI Environment Variables” (page 146).
Using the -requestauth Option
When you set the -requestauth option, the server allows the Web client connection, regardless
of the state of the client certificate. In addition, the server sets the HTTPS_CLIENT_STATUS variable
to reflect the status of the client certificate (if the certificate is valid or invalid). The server sets the
variable to one of these values:
The certificate does not exist.NO_CERTIFICATE
The certificate is issued by a CA that is unknown to the
server.
ISSUER_NOT_FOUND
The server requested and received the client certificate or
a certificate chain, but the begin date of the certificate is
a future date.
NOT_VALID_YET
The certificate is expired.EXPIRED
The server requested client authentication and received a
client certificate chain that contains X509 version 3
ISSUER_NOT_CA
certificates, but one or more of the issuer certificates do
not have CA privilege (indicated by the issuer certificate
containing the Basic Constraints extension with the subject
type set to END_ENTITY).
The server requested client authentication and received a
client certificate chain that contains X509 version 3
INSECURE_ALGORITHM
certificates, but it has been signed using the MD5
algorithm, which is considered unsecure.
Using the -requireauth Option 73