httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Chandler <>
Subject Re: [users@httpd] Client Certificates - HOWTO?
Date Sat, 21 Aug 2004 10:33:43 GMT

Bad thing replying to my own post, but nobody else seemed to want to bite, and 
I have some of the answers now after a lot a reading around.

On Friday 20 August 2004 06:12, Alan Chandler wrote:
> I have read all the docs - but am a little confused on a few things.  So
> questions.
> 1) Can I create a single client certificate/key pair and put into a p12
> file with my CA cert and pass it round to all my client community?

I certainly managed to do this to my windows2000 laptop - seemed to load OK.  
Haven't had the opportunity to access the web site using it yet.

> 2) Does this client certificate "need" a password to work.  It seems that
> the password must be given to install it in a browser.  If I am creating
> it, this also means telling everyone what that password is.

Don't know the answer to this - used a password for my own key.

> 3) What exactly do I put into the file pointed to by the
> SSLCACertificateFile directive.  Is this just the client certificate, or
> does it also need my CA cert (and possibly the server cert)

I think I understand this now - its the CA cert that I signed the client key 
with.  You don't need to store all the client keys, only the key that you 
signed the clients keys with.

> 4)The example of doing this in the Apache2 manual does not use the
> SSLCertificateFile and SSLCertificateKeyFile directives.  Is this because
> they are out of scope of the example - or that they are not needed.

I don't know the answer to this yet - I have just put them in the 
configuration anyway.

Alan Chandler
First they ignore you, then they laugh at you,
 then they fight you, then you win. --Gandhi

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message