You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Browder <to...@gmail.com> on 2012/07/19 17:11:25 UTC
[users@httpd] SSL Cllient Certificate Requirements Question
I have a single server with a multiple vhost SSL certificate from a
recognized CA. All vhosts are using SSL/TLS successfully and
exclusively with HSTS enforcement.
I would now like to add SSL client certificates for individual vhost
private directory access and plan to do so using a self-generated,
self-signed CA certificate (self-CA) set up, with one certificate per
authorized user and vhost. My question for my set up is this:
Does the client browser have to import anything other than its
assigned SSL client certificate?
One source I've found says I will also have to have my self-CA
certificate available for import by each client browser but another
source says no (I can provide the sources later when I get access to
my own computer). The Apache 2.4 docs, as I interpret them, imply
that they are two separate things and only the single client
certificate will have to be imported since the session SSL connection
is created through the widely-recognized CA certificate.
(I apologize for any unclear terminology--I am still trying to sort it all out.)
Thanks.
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] SSL Cllient Certificate Requirements Question
Posted by Juan Vidanez <Ju...@vcint.com>.
You https vhost could looks like:
<Virtualhost TEMPLATE_IP:443>
ServerName TEMPLATE_SERVERNAME.example.com
DocumentRoot /export/public
ErrorLog /usr/apache/logs/www.example.com_error_log
CustomLog "|/usr/apache/bin/rotatelogs RewriteEngine On
RewriteOptions inherit
DeflateBufferSize 8096
DeflateFilterNote ratio
DeflateMemLevel 9
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# Don't compress images or txt
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|txt|lx2|pdf)$ no-gzip dont-vary
</IfModule>
<Directory "/export/public">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
SSLEngine On
SSLCertificateFile /usr/apache/ssl/certs/www.example.com/server.crt
SSLCertificateKeyFile /usr/apache/ssl/certs/www.example.com/server.key
SSLCACertificateFile /usr/apache/ssl/certs/intermediate.crt
</VirtualHost>
-----Original Message-----
From: Tom Browder [mailto:tom.browder@gmail.com]
Sent: 20 July 2012 03:22
To: users@httpd.apache.org
Subject: Re: [users@httpd] SSL Cllient Certificate Requirements Question
On Thu, Jul 19, 2012 at 7:34 PM, Daniel Ruggeri <DR...@primary.net> wrote:
> On 7/19/2012 10:11 AM, Tom Browder wrote:
>> I have a single server with a multiple vhost SSL certificate from a
>> recognized CA. All vhosts are using SSL/TLS successfully and
>> exclusively with HSTS enforcement.
>>
>> I would now like to add SSL client certificates for individual vhost
>> private directory access and plan to do so using a self-generated,
>> self-signed CA certificate (self-CA) set up, with one certificate per
>> authorized user and vhost. My question for my set up is this:
>>
>> Does the client browser have to import anything other than its
>> assigned SSL client certificate?
...
> Since your servers are signed by a known CA, the browsers will only need
> to have a private key/certificate imported to function. In your httpd
> vhost, you will place your self-signed CA certificate (the one that
> signs the client certs) in the file pointed to by SSLCACertificateFile.
Thanks, Daniel!
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Cllient Certificate Requirements Question
Posted by Tom Browder <to...@gmail.com>.
On Thu, Jul 19, 2012 at 7:34 PM, Daniel Ruggeri <DR...@primary.net> wrote:
> On 7/19/2012 10:11 AM, Tom Browder wrote:
>> I have a single server with a multiple vhost SSL certificate from a
>> recognized CA. All vhosts are using SSL/TLS successfully and
>> exclusively with HSTS enforcement.
>>
>> I would now like to add SSL client certificates for individual vhost
>> private directory access and plan to do so using a self-generated,
>> self-signed CA certificate (self-CA) set up, with one certificate per
>> authorized user and vhost. My question for my set up is this:
>>
>> Does the client browser have to import anything other than its
>> assigned SSL client certificate?
...
> Since your servers are signed by a known CA, the browsers will only need
> to have a private key/certificate imported to function. In your httpd
> vhost, you will place your self-signed CA certificate (the one that
> signs the client certs) in the file pointed to by SSLCACertificateFile.
Thanks, Daniel!
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Cllient Certificate Requirements Question
Posted by Daniel Ruggeri <DR...@primary.net>.
On 7/19/2012 10:11 AM, Tom Browder wrote:
> I have a single server with a multiple vhost SSL certificate from a
> recognized CA. All vhosts are using SSL/TLS successfully and
> exclusively with HSTS enforcement.
>
> I would now like to add SSL client certificates for individual vhost
> private directory access and plan to do so using a self-generated,
> self-signed CA certificate (self-CA) set up, with one certificate per
> authorized user and vhost. My question for my set up is this:
>
> Does the client browser have to import anything other than its
> assigned SSL client certificate?
>
> One source I've found says I will also have to have my self-CA
> certificate available for import by each client browser but another
> source says no (I can provide the sources later when I get access to
> my own computer). The Apache 2.4 docs, as I interpret them, imply
> that they are two separate things and only the single client
> certificate will have to be imported since the session SSL connection
> is created through the widely-recognized CA certificate.
>
> (I apologize for any unclear terminology--I am still trying to sort it all out.)
>
> Thanks.
Since your servers are signed by a known CA, the browsers will only need
to have a private key/certificate imported to function. In your httpd
vhost, you will place your self-signed CA certificate (the one that
signs the client certs) in the file pointed to by SSLCACertificateFile.
--
Daniel Ruggeri
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org