httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <>
Subject Re: [users@httpd] SSL Cllient Certificate Requirements Question
Date Fri, 20 Jul 2012 00:34:18 GMT
On 7/19/2012 10:11 AM, Tom Browder wrote:
> I have a single server with a multiple vhost SSL certificate from a
> recognized CA.  All vhosts are using SSL/TLS successfully and
> exclusively with HSTS enforcement.
> I would now like to add SSL client certificates for individual vhost
> private directory access and plan to do so using a self-generated,
> self-signed CA certificate (self-CA) set up, with one certificate per
> authorized user and vhost.  My question for my set up is this:
>   Does the client browser have to import anything other than its
> assigned SSL client certificate?
> One source I've found says I will also have to have my self-CA
> certificate available for import by each client browser but another
> source says no (I can provide the sources later when I get access to
> my own computer).  The Apache 2.4 docs, as I interpret them, imply
> that they are two separate things and only the single client
> certificate will have to be imported since the session SSL connection
> is created through the widely-recognized CA certificate.
> (I apologize for any unclear terminology--I am still trying to sort it all out.)
> Thanks.

Since your servers are signed by a known CA, the browsers will only need
to have a private key/certificate imported to function. In your httpd
vhost, you will place your self-signed CA certificate (the one that
signs the client certs) in the file pointed to by SSLCACertificateFile.

Daniel Ruggeri

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message