You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Browder <to...@gmail.com> on 2016/02/25 12:58:46 UTC
[users@httpd] Is it possible to use two different client cert sets?
I have a working system of client certs (which were signed using
SHA1) allowing access to a private area on a website. As we all know, soon
such certs will be a thing of the past since SHA2 will be required.
I have started generating the certs with SHA2, but want to know if can I
use both systems on the same site while I get my users to transition to
their new certs.
Thanks a heap!
Best regards,
-Tom
Re: [users@httpd] Is it possible to use two different client cert sets?
Posted by Tom Browder <to...@gmail.com>.
On Thu, Feb 25, 2016 at 10:24 AM, Eric Covener <co...@gmail.com> wrote:
> On Thu, Feb 25, 2016 at 11:20 AM, Tom Browder <to...@gmail.com> wrote:
>> But, for future reference, how would using two CA's for the same
>> protected directory work? Would the two SSLCACertificateFile files
>> have to be concatenated into one?
>
> The file you point to can be an aggregation of CA certificates.
Great! Thanks again, Eric!
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to use two different client cert sets?
Posted by Eric Covener <co...@gmail.com>.
On Thu, Feb 25, 2016 at 11:20 AM, Tom Browder <to...@gmail.com> wrote:
> But, for future reference, how would using two CA's for the same
> protected directory work? Would the two SSLCACertificateFile files
> have to be concatenated into one?
The file you point to can be an aggregation of CA certificates.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to use two different client cert sets?
Posted by Tom Browder <to...@gmail.com>.
On Thu, Feb 25, 2016 at 9:24 AM, Eric Covener <co...@gmail.com> wrote:
> On Thu, Feb 25, 2016 at 6:58 AM, Tom Browder <to...@gmail.com> wrote:
>> I have started generating the certs with SHA2, but want to know if can I use
>> both systems on the same site while I get my users to transition to their
>> new certs.
>
> Unless I am misunderstanding:
>
> If you use the same CA, the old certs will remain trusted.
> If you use a new CA for the new certs, you can easily trust both CA's.
That sounds good, it will be the same CA.
My concern was, due to not fully understanding all the steps, that the
CA side of things on the server (SSLCACertificateFile) might not be
good for the new certs.
But, for future reference, how would using two CA's for the same
protected directory work? Would the two SSLCACertificateFile files
have to be concatenated into one?
Thanks for your help, Eric!
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to use two different client cert sets?
Posted by Eric Covener <co...@gmail.com>.
On Thu, Feb 25, 2016 at 6:58 AM, Tom Browder <to...@gmail.com> wrote:
> I have started generating the certs with SHA2, but want to know if can I use
> both systems on the same site while I get my users to transition to their
> new certs.
Unless I am misunderstanding:
If you use the same CA, the old certs will remain trusted.
If you use a new CA for the new certs, you can easily trust both CA's.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to use two different client cert sets?
Posted by Daniel <df...@gmail.com>.
No, afaik the only transition is when you get the new cert signed you copy
them to its respective path and gracefully restart apache.
El jue., 25 feb. 2016 a las 12:58, Tom Browder (<to...@gmail.com>)
escribió:
> I have a working system of client certs (which were signed using
> SHA1) allowing access to a private area on a website. As we all know, soon
> such certs will be a thing of the past since SHA2 will be required.
>
> I have started generating the certs with SHA2, but want to know if can I
> use both systems on the same site while I get my users to transition to
> their new certs.
>
> Thanks a heap!
>
> Best regards,
>
> -Tom
>