On 22.04.2014 14:57, Ligade, Shailesh [USA] wrote: > I think by default, the certificate hint list asks for client > authentication certificates. Is there any configuration option to ask > for different types of certificates? e.g. signing or encryption > certificates?
This would be a question for the users list, in the first place (http://httpd.apache.org/userslist.html)... but to cut it short: only to a small extent, since a TLS server can only include the following things in a CertificateRequest message: lists of certificate_types, supported_signature_algorithms (TLS 1.2) and certificate_authorities (RFC 5246, section 7.4.4). The onus is mostly on the client to make sure that it doesn't pick a cert with an unsuitable keyUsage/EKU extension. Kaspar
