httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Chandler <a...@chandlerfamily.org.uk>
Subject [users@httpd] Client Certificates - HOWTO?
Date Fri, 20 Aug 2004 05:12:15 GMT
I am trying to set up the following scenario

I have a web server which I want to use ssl to authenticate clients - so I 
allow only a limited community in.  In order to do this, I want all clients 
to install a client certificate in their browser - so that I can verify that 
they are who they say they are.

I have created my own CA and signed it myself.  I have created the server 
certificate/key and signed it with the CA. I have created one client 
certificate for my own "client" machine, given it a passphrase and exported 
it as a p12 file containing the cert, key and CA cert.  I have installed this 
in my browser to show it is possible.

I have read all the docs - but am a little confused on a few things.  So 
questions.

1) Can I create a single client certificate/key pair and put into a p12 file 
with my CA cert and pass it round to all my client community?
2) Does this client certificate "need" a password to work.  It seems that the 
password must be given to install it in a browser.  If I am creating it, this 
also means telling everyone what that password is.
3) What exactly do I put into the file pointed to by the SSLCACertificateFile 
directive.  Is this just the client certificate, or does it also need my CA 
cert (and possibly the server cert)
4)The example of doing this in the Apache2 manual does not use the 
SSLCertificateFile and SSLCertificateKeyFile directives.  Is this because 
they are out of scope of the example - or that they are not needed.

TIA
-- 
Alan Chandler
alan@chandlerfamily.org.uk
First they ignore you, then they laugh at you,
 then they fight you, then you win. --Gandhi

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message