httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sterpu Victor" <>
Subject Re[2]: [users@httpd] SSL - How client certificates are verified?
Date Sun, 23 Aug 2015 07:51:40 GMT
I'm not sure I got this right, this is what I was thinking:
- client sends his certificate, with the public key included; the 
certificate contains a signature of the client certificate made with the 
private key of the CA;
- apache server has the public key of the CA and can check the signature 
of the CA
Is this right?

Does this check includes OCSP verification? If not can this be done from 

Thank you.

------ Original Message ------
From: "Mohanavelu Subramanian" <>
To:; "Sterpu Victor" <>
Sent: 8/23/2015 10:19:13 AM
Subject: Re: [users@httpd] SSL - How client certificates are verified?

>With the option "SSLVerifyClient require" , server mandates the client 
>to send its certificate for authentication. Then the server verifies 
>this client certificate against the CA certificate file configured in 
>apache. If the client certificate has been signed by a valid CA, then 
>the authentication is successful.
>There are cases where sub CA certificate can be generated from root 
>certificate. So, this will end up in a hierarchy of CA certificates. 
>The final sub CA certificate would be used to sign client certificate. 
>With option "SSLVerifyDepth 10", the server will verify the client 
>certificate to the level of 10, meaning it will verify from 0 to up the 
>hierarchy 10.
>Maximum depth of CA Certificates in Client Certificate verification
>When the client sends its fake certificate(not signed by the CA) , the 
>authentication will fail at server.
>On Sun, Aug 23, 2015 at 12:21 PM, Sterpu Victor <> 
>>I have a web page that asks for client certificate.
>>These are the options for this:
>>SSLVerifyClient require
>>SSLVerifyDepth 10
>>How does SSLVerifyClient  verifies the client certificate?
>>This option protects against certificates manual made with a fake 
>>public-private key pair?
>>So can someoane make a certificate identical with the original, attach 
>>another set of public and private keys and pretend to be someoane 
>>Thank you

This email has been checked for viruses by Avast antivirus software.

View raw message