httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From suomi <apa...@ayni.com>
Subject Re: [users@httpd] Client Certificates - HOWTO?
Date Sun, 22 Aug 2004 05:30:43 GMT
Hi Alan
concerning the passphrase, my findings where like this:

using openssl on linux:

you create a server request and key with
openssl req -new -keyout $DIR/server-key.pem -out \
$DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf

at this point you MUST specify a passphrase. i have not found out the 
option for openssl, which allows you to not specify a passphrase.

BUT:
you can then remove the passphrase from the key:
openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem

whether you can use the certificate which you create with such a key may 
depend on the browser, where you want to install it.

suomi

Alan Chandler wrote:
> Bad thing replying to my own post, but nobody else seemed to want to bite, and 
> I have some of the answers now after a lot a reading around.
> 
> On Friday 20 August 2004 06:12, Alan Chandler wrote:
> ...
> 
>>I have read all the docs - but am a little confused on a few things.  So
>>questions.
>>
>>1) Can I create a single client certificate/key pair and put into a p12
>>file with my CA cert and pass it round to all my client community?
> 
> 
> I certainly managed to do this to my windows2000 laptop - seemed to load OK.  
> Haven't had the opportunity to access the web site using it yet.
> 
> 
> 
>>2) Does this client certificate "need" a password to work.  It seems that
>>the password must be given to install it in a browser.  If I am creating
>>it, this also means telling everyone what that password is.
> 
> 
> Don't know the answer to this - used a password for my own key.
> 
> 
>>3) What exactly do I put into the file pointed to by the
>>SSLCACertificateFile directive.  Is this just the client certificate, or
>>does it also need my CA cert (and possibly the server cert)
> 
> 
> I think I understand this now - its the CA cert that I signed the client key 
> with.  You don't need to store all the client keys, only the key that you 
> signed the clients keys with.
> 
> 
>>4)The example of doing this in the Apache2 manual does not use the
>>SSLCertificateFile and SSLCertificateKeyFile directives.  Is this because
>>they are out of scope of the example - or that they are not needed.
> 
> 
> I don't know the answer to this yet - I have just put them in the 
> configuration anyway.
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message