iTP Secure WebServer System Administrator's Guide (Version 7.0)
Configuring for Secure Transport
iTP Secure WebServer System Administrator’s Guide—523346-012
4-31
Using the -requestauth Option
Using the -requestauth Option
When you set the -requestauth option, the server always allows the Web client
connection, regardless of the state of the client certificate. In addition, the server sets
the HTTPS_CLIENT_STATUS variable to reflect the status of the client certificate (if the
certificate is valid or invalid). The server sets the variable to one of these values:
No certificate The certificate does not exist.
Error in certificate The certificate contains an error.
Not verified The certificate is issued by a CA that is unknown to the server.
Forged The certificate is forged.
Not valid yet The server requested and received the client certificate or a
certificate chain, but the begin date of the certificate is a future
date.
Expired The certificate is expired.
Issuer certificate
not CA type
The server requested client authentication and received a client
certificate chain that contains X509 version 3 certificates, but
one or more of the issuer certificates do not have CA privilege
(indicated by the issuer certificate containing the Basic
Constraints extension with the subject type set to
END_ENTITY).
Max path length
exceeded
The server requested client authentication and received a client
certificate chain that contains X509 version 3 certificates, but
one or more of the issuer certificates contain the Basic
Constraints extension with the subject type set to CA and
specifying max path length, and the maximum path length is
exceeded.
Issuer can’t sign
certificates
The server requested client authentication and received a client
certificate chain that contains X509 Version 3 certificates, but
one or more of the issuer certificates contain the Key Usage
extension and indicates that the certificate does not have
certificate-signing capabilities (but is still being used to sign
certificates).
Valid certificate
but with no
extensions
The server requested client authentication and received a client
certificate chain that contains X509 version 3 certificates, but
one or more of the issuer certificates contains neither the Basic
Constraints or the Key Usage extensions.