You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Kumar Bijayant <bi...@gmail.com> on 2013/12/16 13:27:32 UTC
[users@httpd] client side certificate authentication
Hello List,
I am struggling to understand the concept of client side authentication
enabled in SSL apache. I have been reading the posts, google pages but
still clueless.
What I could understand till now is 3 configuration parameter is required
SSLVerifyClient
SSLVerifyDepth
SSLCACertificate File
The points on which I am confused is SSLCARevocationFile.
Also, the client has given 12 chain certificates to achieve that. I am
confused that where I need to put that certificates and what kind of
minimal configuration I should do to get that functionality.
The more I am reading the more I am getting confused :( specially on
SSLCARevocationFile
Thanks & Regards,
Bijayant Kumar
PS: I am not newbie to Apache (working from few years) but this time stuck
like anything and it is hard to believe that I am not able to understand
the simple documents on Apache site :(
Re: [users@httpd] client side certificate authentication
Posted by Toomas Aas <to...@raad.tartu.ee>.
Hello!
> I am struggling to understand the concept of client side authentication
> enabled in SSL apache. I have been reading the posts, google pages but
> still clueless.
>
> What I could understand till now is 3 configuration parameter is required
>
> SSLVerifyClient
> SSLVerifyDepth
> SSLCACertificate File
>
> The points on which I am confused is SSLCARevocationFile.
The meaning of SSLCARevocationFile is really quite simple. Let's say
that we have issued certificates to all employees in our company.
These certificates are issued by the CA whose certificate is in
SSLCACertificateFile. Apache is configured to trust all certificates
issued by this CA. Now one of the employees leaves and should no
longer have access. We can't really "take back" the certificate file
issued to this employee, so we just declare that we no longer trust
this particular certificate - in other words, we revoke the
certificate. Such revoked certificates are listed in "Certificate
Revocation List" - a file which SSLCAReviocationFile points to.
--
Toomas Aas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org