I have TLS 1.2 mutual authentication working on Apache 2.4.54 with a self-signed CA and test clients on iOS and MacOS. Everything works, except the clients do not recognize the "Acceptable client certificate CA" on the CertificateRequest, so user/app must know which one to choose. On my iOS app, the URLAuthenticationChallenge.protectionSpace.distinguishedNames field that is supposed to deliver this list is empty. On MacOS Safari it asks the user to choose a certificate among all installed, even though only 1 has the correct issuer CA. Using
openssl s_client -connect myserver.com:443 -prexit
returns
Acceptable client certificate CA names
/C=US/ST=x/L=x/O=x/OU=x/CN=myca.com/emailAddress=x
Relevant apache config is like so.
SSLCACertificateFile /etc/pki/CA/cacert.pem
SSLCADNRequestFile /etc/pki/CA/cacert.pem
SSLVerifyClient require
SSLVerifyDepth 1
I get same result without SSLCADNRequestFile. Looking at apache logs with LogLevel trace8 appears to show the proper distinguished name being written on the CertificateRequest. This is raw dump, so I can't read the binary fields, but I can see the right ASCII for my CA CN. I guess iOS/MacOS must be seeing this data, but deciding not useable.
The CA certificate has X509v3 Basic Constraints: CA:TRUE, but no keyUsage specs. Since the authentication works, I assume the cert is okay, as long as client chooses right cert.
Any ideas what I am doing wrong, or how to debug further?
