To the next guy,
To answer my question with what I have: My requirement has been pushed out 6 months, so I'm done for now. The Gunther Birznieks/www.extropia.com project has modules to do some of the things I queried about. I looked at it but ran out of time before I found what I would need. I also found where various training issues are likely because certificates may have to be bought and the browser or web server might not necessarily handle problems gracefully/friendly and the issue of revocation does not have a widely used tool for processing certificate status updates. Chuck Modssl manual on client side certs (setup only - not programming): http://www.modssl.org/docs/2.8/ssl_faq.html Quote from Gunther Birznieks (from an old post): "If you download our Perl objects @ http://www.extropia.com/development/webware2/webware2.html, I have an AuthManager::Certificate which implements client certificate authentication. Probably the best place to download the code for that is on the extropia perl project at sourceforge if you want to see the implementation. It's actually "trivial" because mod_ssl will decode the certificate into extra environment variables indicating stuff like the DN of the user. It's a requirement of SSL to make sure the certificate is valid based on the certificate's signature(s). At that point, then you need to deal with certificate revocation which is another matter. A lot of servers back up certificate authentication with LDAP. So the client sends the cert which verifies that they are who they say they are, but LDAP needs to be used to actually get the relevant authorization information out. If you use the framework we have, that is accomplished by configuring the use of AuthManager::Certificate against Auth::LDAP. Auth::Cache::Session can optionally be used to speed up the process. Chapter 20 on the link I gave you has details on why we broke up the modules the way we did. Note that this is not to be confused with a handler. This is application level logic. mod_ssl already handles certificate decoding so you really don't need a handler anymore. At that point it seems like app logic to take the user and figure out what you want them to do. Of course, you can code authorization info into a cert like the roles that they are intended for. But I think that's IMHO, a really BAD way to do it because you have to revoke the cert to change the permissions of the user. Best to leave the cert to identify the user and allow a dynamic datastore to determine what they can do in most cases. Later, Gunther PS The hard part about client certificates isn't using them, its managing them and the customers that use them." ================= References for Related subjects The book "Microsoft® Windows® 2000 Active Directory(tm) Programming" has several pages on programming with LDAP on Windows Active Directory. According to Gunther, LDAP is used in this process somehow. -----Original Message----- From: Goehring, Chuck Mr., RCI - San Diego Sent: Tuesday, September 16, 2003 10:26 AM To: [EMAIL PROTECTED] Apache. Org (E-mail) Subject: client-side certificate extraction ModPerlers, We have a requirement to change our web servers to require client-side ssl certificates by Oct 1, 2003. Can someone give me some pointers on how mod_perl might be used to extract the user's name at login time. I suspect this might require a handler. This might be used to avoid multiple logins. Thanks Chuck