You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Alan Chandler <al...@chandlerfamily.org.uk> on 2004/08/20 07:12:15 UTC
[users@httpd] Client Certificates - HOWTO?
I am trying to set up the following scenario
I have a web server which I want to use ssl to authenticate clients - so I
allow only a limited community in. In order to do this, I want all clients
to install a client certificate in their browser - so that I can verify that
they are who they say they are.
I have created my own CA and signed it myself. I have created the server
certificate/key and signed it with the CA. I have created one client
certificate for my own "client" machine, given it a passphrase and exported
it as a p12 file containing the cert, key and CA cert. I have installed this
in my browser to show it is possible.
I have read all the docs - but am a little confused on a few things. So
questions.
1) Can I create a single client certificate/key pair and put into a p12 file
with my CA cert and pass it round to all my client community?
2) Does this client certificate "need" a password to work. It seems that the
password must be given to install it in a browser. If I am creating it, this
also means telling everyone what that password is.
3) What exactly do I put into the file pointed to by the SSLCACertificateFile
directive. Is this just the client certificate, or does it also need my CA
cert (and possibly the server cert)
4)The example of doing this in the Apache2 manual does not use the
SSLCertificateFile and SSLCertificateKeyFile directives. Is this because
they are out of scope of the example - or that they are not needed.
TIA
--
Alan Chandler
alan@chandlerfamily.org.uk
First they ignore you, then they laugh at you,
then they fight you, then you win. --Gandhi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Client Certificates - HOWTO?
Posted by Alan Chandler <al...@chandlerfamily.org.uk>.
On Sunday 22 August 2004 06:30, suomi wrote:
> Hi Alan
> concerning the passphrase, my findings where like this:
>
> using openssl on linux:
>
> you create a server request and key with
> openssl req -new -keyout $DIR/server-key.pem -out \
> $DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf
>
> at this point you MUST specify a passphrase. i have not found out the
> option for openssl, which allows you to not specify a passphrase.
>
> BUT:
> you can then remove the passphrase from the key:
> openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem
Thanks, thats a good idea to try. I had already done that for the server
certificate - but this is for client certificates which I want to hand out to
my user community to install.
--
Alan Chandler
alan@chandlerfamily.org.uk
First they ignore you, then they laugh at you,
then they fight you, then you win. --Gandhi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Client Certificates - HOWTO?
Posted by suomi <ap...@ayni.com>.
Hi Alan
concerning the passphrase, my findings where like this:
using openssl on linux:
you create a server request and key with
openssl req -new -keyout $DIR/server-key.pem -out \
$DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf
at this point you MUST specify a passphrase. i have not found out the
option for openssl, which allows you to not specify a passphrase.
BUT:
you can then remove the passphrase from the key:
openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem
whether you can use the certificate which you create with such a key may
depend on the browser, where you want to install it.
suomi
Alan Chandler wrote:
> Bad thing replying to my own post, but nobody else seemed to want to bite, and
> I have some of the answers now after a lot a reading around.
>
> On Friday 20 August 2004 06:12, Alan Chandler wrote:
> ...
>
>>I have read all the docs - but am a little confused on a few things. So
>>questions.
>>
>>1) Can I create a single client certificate/key pair and put into a p12
>>file with my CA cert and pass it round to all my client community?
>
>
> I certainly managed to do this to my windows2000 laptop - seemed to load OK.
> Haven't had the opportunity to access the web site using it yet.
>
>
>
>>2) Does this client certificate "need" a password to work. It seems that
>>the password must be given to install it in a browser. If I am creating
>>it, this also means telling everyone what that password is.
>
>
> Don't know the answer to this - used a password for my own key.
>
>
>>3) What exactly do I put into the file pointed to by the
>>SSLCACertificateFile directive. Is this just the client certificate, or
>>does it also need my CA cert (and possibly the server cert)
>
>
> I think I understand this now - its the CA cert that I signed the client key
> with. You don't need to store all the client keys, only the key that you
> signed the clients keys with.
>
>
>>4)The example of doing this in the Apache2 manual does not use the
>>SSLCertificateFile and SSLCertificateKeyFile directives. Is this because
>>they are out of scope of the example - or that they are not needed.
>
>
> I don't know the answer to this yet - I have just put them in the
> configuration anyway.
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Client Certificates - HOWTO?
Posted by Alan Chandler <al...@chandlerfamily.org.uk>.
Bad thing replying to my own post, but nobody else seemed to want to bite, and
I have some of the answers now after a lot a reading around.
On Friday 20 August 2004 06:12, Alan Chandler wrote:
...
> I have read all the docs - but am a little confused on a few things. So
> questions.
>
> 1) Can I create a single client certificate/key pair and put into a p12
> file with my CA cert and pass it round to all my client community?
I certainly managed to do this to my windows2000 laptop - seemed to load OK.
Haven't had the opportunity to access the web site using it yet.
> 2) Does this client certificate "need" a password to work. It seems that
> the password must be given to install it in a browser. If I am creating
> it, this also means telling everyone what that password is.
Don't know the answer to this - used a password for my own key.
> 3) What exactly do I put into the file pointed to by the
> SSLCACertificateFile directive. Is this just the client certificate, or
> does it also need my CA cert (and possibly the server cert)
I think I understand this now - its the CA cert that I signed the client key
with. You don't need to store all the client keys, only the key that you
signed the clients keys with.
> 4)The example of doing this in the Apache2 manual does not use the
> SSLCertificateFile and SSLCertificateKeyFile directives. Is this because
> they are out of scope of the example - or that they are not needed.
I don't know the answer to this yet - I have just put them in the
configuration anyway.
--
Alan Chandler
alan@chandlerfamily.org.uk
First they ignore you, then they laugh at you,
then they fight you, then you win. --Gandhi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org