You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Kumar Bijayant <bi...@gmail.com> on 2013/12/16 13:27:32 UTC

[users@httpd] client side certificate authentication

Hello List,

I am struggling to understand the concept of client side authentication
enabled in SSL apache. I have been reading the posts, google pages but
still clueless.

What I could understand till now is 3 configuration parameter is required

SSLVerifyClient
SSLVerifyDepth
SSLCACertificate File

The points on which I am confused is SSLCARevocationFile.

Also, the client has given 12 chain certificates to achieve that. I am
confused that where I need to put that certificates and what kind of
minimal configuration I should do to get that functionality.

The more I am reading the more I am getting confused :( specially on
SSLCARevocationFile

Thanks & Regards,
Bijayant Kumar

PS: I am not newbie to Apache (working from few years) but this time stuck
like anything and it is hard to believe that I am not able to understand
the simple documents on Apache site :(

Re: [users@httpd] client side certificate authentication

Posted by Toomas Aas <to...@raad.tartu.ee>.

Hello!

> I am struggling to understand the concept of client side authentication
> enabled in SSL apache. I have been reading the posts, google pages but
> still clueless.
>
> What I could understand till now is 3 configuration parameter is required
>
> SSLVerifyClient
> SSLVerifyDepth
> SSLCACertificate File
>
> The points on which I am confused is SSLCARevocationFile.

The meaning of SSLCARevocationFile is really quite simple. Let's say  
that we have issued certificates to all employees in our company.  
These certificates are issued by the CA whose certificate is in  
SSLCACertificateFile. Apache is configured to trust all certificates  
issued by this CA. Now one of the employees leaves and should no  
longer have access. We can't really "take back" the certificate file  
issued to this employee, so we just declare that we no longer trust  
this particular certificate - in other words, we revoke the  
certificate. Such revoked certificates are listed in "Certificate  
Revocation List" - a file which SSLCAReviocationFile points to.

-- 
Toomas Aas


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org