httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ian Huynh" <i...@hubspan.com>
Subject RE: [users@httpd] Question about how to do certificate based authentication with Apache 2.0.50 ....
Date Tue, 31 May 2005 18:31:51 GMT
if you want to lock it down to exactly ONE client certificate, here's one way to do it 

if you need to screen on more than one cert, perhaps you can use SSL_CLIENT_S_DN_O (i think)
instead of SSL_CLIENT_S_DN_CN 


<Location /SomeVirtualDir>

            SSLRequireSSL
            SSLVerifyClient require
            SSLVerifyDepth  3
            SSLRequire       %{SSL_CLIENT_S_DN_CN}  eq "the.client.cert.distinguished.name"
\
                       and   %{SSL_CLIENT_I_DN_O}   eq "VeriSign Trust Network"
</Location>

-----Original Message-----
From: Matthew McHugh [mailto:mmchugh@arrow.com]
Sent: Tuesday, May 31, 2005 10:40 AM
To: users@httpd.apache.org
Subject: [users@httpd] Question about how to do certificate based authentication with Apache
2.0.50 ....


Hello All,

I am using Apache 2.0.50 on a Sun solaris webserver.  I am trying to limit (for one virtual
host) access to the site.  I want to limit the access to one company that passes me their
certificate.  Is there a way to do this with apache 2.0.50?  I see that something can be done
with client authentication, but that requires me to create my own CA and hand out certificates,
then allow all certs signed by that CA to have access to the environment.  My client will
be using a Verisign signed certificate and I do not wish to allow all clients with a Verisign
signed certificate to access my protected environment.

Is there a way to lock it down to only one certificate or do I need to allow access to all
clients passing certificates that are signed from a specific CA?


Any help would be much appreciated.


Thanks,


Matt

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message