Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4233710AB1 for ; Mon, 16 Dec 2013 20:30:28 +0000 (UTC) Received: (qmail 22424 invoked by uid 500); 16 Dec 2013 20:30:24 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 22396 invoked by uid 500); 16 Dec 2013 20:30:24 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 22386 invoked by uid 99); 16 Dec 2013 20:30:24 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Dec 2013 20:30:24 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [213.184.43.8] (HELO kuller.raad.tartu.ee) (213.184.43.8) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Dec 2013 20:30:18 +0000 Received: from kuller.raad.tartu.ee (localhost [127.0.0.1]) by kuller.raad.tartu.ee (Postfix) with ESMTP id 3CF7F39845; Mon, 16 Dec 2013 22:29:56 +0200 (EET) X-Virus-Scanned: amavisd-new at post.raad.tartu.ee Received: from kuller.raad.tartu.ee ([127.0.0.1]) by kuller.raad.tartu.ee (kuller.raad.tartu.ee [127.0.0.1]) (amavisd-new, port 10024) with LMTP id jGXo-DqUvUB6; Mon, 16 Dec 2013 22:29:51 +0200 (EET) Received: by kuller.raad.tartu.ee (Postfix, from userid 80) id D3DFC39829; Mon, 16 Dec 2013 22:29:50 +0200 (EET) Received: from 76.20.190.90.dyn.estpak.ee (76.20.190.90.dyn.estpak.ee [90.190.20.76]) by webmail.raad.tartu.ee (Horde Framework) with HTTP; Mon, 16 Dec 2013 22:29:50 +0200 Message-ID: <20131216222950.146260dkdqmmnn4s@webmail.raad.tartu.ee> Date: Mon, 16 Dec 2013 22:29:50 +0200 From: Toomas Aas To: users@httpd.apache.org Cc: bijayant.mws@gmail.com References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.7) X-Originating-IP: 90.190.20.76 X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] client side certificate authentication Hello! > I am struggling to understand the concept of client side authentication > enabled in SSL apache. I have been reading the posts, google pages but > still clueless. > > What I could understand till now is 3 configuration parameter is required > > SSLVerifyClient > SSLVerifyDepth > SSLCACertificate File > > The points on which I am confused is SSLCARevocationFile. The meaning of SSLCARevocationFile is really quite simple. Let's say that we have issued certificates to all employees in our company. These certificates are issued by the CA whose certificate is in SSLCACertificateFile. Apache is configured to trust all certificates issued by this CA. Now one of the employees leaves and should no longer have access. We can't really "take back" the certificate file issued to this employee, so we just declare that we no longer trust this particular certificate - in other words, we revoke the certificate. Such revoked certificates are listed in "Certificate Revocation List" - a file which SSLCAReviocationFile points to. -- Toomas Aas --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org