httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Browder <tom.brow...@gmail.com>
Subject Re: [users@httpd] What verification does Apache do as part of SSLVerifyClient?
Date Sun, 09 Sep 2012 13:36:30 GMT
On Wed, Sep 5, 2012 at 4:32 PM, Mark Montague <mark@catseye.org> wrote:
...
> As you can see, the CN is not a hostname and does not get validated by
> httpd. You need to rely on the certificate authorities you trust in order to
> not sign certificates for "improper" CNs -- for example, the CN of a host
> that does not belong to the requester. And you need to trust the holder of
> the cert to keep their private key secure. If you cannot do these two
> things, you should not trust the CA in question, or you should not accept
> certificates at all.

So the client cert. does contain the private key?   Then its password
is all that is protecting it?

Mark, in your experience, what is the best way to distribute client
certificates?

I am developing client certificates that I will distribute to my
users, and up to now I planned to distribute them via email and
passwords via US mail.

Thanks.

Best regards,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message