Lighttpd 用戶端憑證認證

我正在嘗試使用我自己的內部 Windows CA 透過 lighttpd 啟用客戶端憑證驗證。免責聲明：我對 PKI 還很陌生：D

我的家庭實驗室中有一個離線根 CA 和一個從屬 CA。我已經將根 CA 導入到 Firefox 的受信任 CA 下。對於客戶端證書，我使用 openssl 產生一個 CSR，我使用啟用了客戶端身份驗證的範本與我的下級 CA 簽署了該 CSR。此客戶端憑證也會作為 pfx 檔案匯入到 Firefox 中。我還配置了lighttpd，如下所示：

ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem"
ssl.ca-file = "/etc/lighttpd/certs/ca.cer"
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"

我收到以下錯誤：

火狐瀏覽器錯誤：

Peer does not recognize and trust the CA that issued your certificate.
Error code: SSL_ERROR_UNKNOWN_CA_ALERT

Lighttpd 錯誤：

SSL: 1 error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed 
SSL: 1 -1 error:140E0197:SSL routines:SSL_shutdown:shutdown while in ini

其他：

Acceptable client certificate CA names
DC = org, DC = homelab, CN = homelab-V-2019-ICA-CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign

CA.cer

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5a:00:00:00:02:47:18:65:49:6e:51:2a:56:00:00:00:00:00:02
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=V-2019-RCA-CA
        Validity
            Not Before: Nov 24 06:00:19 2020 GMT
            Not After : Nov 24 06:10:19 2021 GMT
        Subject: DC=org, DC=homelab, CN=homelab-V-2019-ICA-CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

客戶證書

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            56:00:00:00:23:c0:0e:f2:75:d8:de:ef:65:00:00:00:00:00:23
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = org, DC = homelab, CN = homelab-V-2019-ICA-CA
        Validity
            Not Before: Dec  1 23:54:33 2020 GMT
            Not After : Nov 24 06:10:19 2021 GMT
        Subject: C = US, ST = Rhode Island, L = Providence, O = HOMELAB, OU = HOMELAB, CN = homelab-V-2019-ICA-CA.homelab.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
...
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            1.3.6.1.4.1.311.21.10: 

不知道從這裡去哪裡。任何幫助或文章將非常感激。 :)