Re: Can i use CA signed cert to create client authentication certificates ?

2008-09-26 Thread Matt Stevenson 
Hi,

Asking every time does make it complicated. I can't remember if the firefox 
default is to ask or auto supply (and it has changed behavior between 1/2/3 
AFAIK), I have it as ask every time.

Anyway the ask every time FF behavior isn't very nice for users (auto supply is 
probably fine for most users). FF will also ask for a cert every session ID 
change.

As you know there isn't an ask once option, which would be very nice.  I don't 
think there is much that can be done to fix it other than coding up an ask 
once option in FF (which I haven't got the time to do :( ).

Anyway you may also want to use/need the SSLOptions +OptRenegotiate if you 
have portions of the site that do and don't require client certs. It can help 
greatly with IE. Sometimes IE goes a little funny and renegotiates sessions all 
the time going from non-client cert to client cert areas.


Regards
Matt


- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Thursday, September 25, 2008 9:37:00 AM
Subject: Re: Can i use CA signed cert to create client authentication 
certificates ?

Thank you very much Matt .
That solved it :).

I now have Client Certificate Authentication working with a CA signed 
certificate and a Self Signed CA which in turn signs client certs.

If i can only ask for a bit more advice regarding this setup ?.
Although I think this problem might be Firefox specific I'm hoping for some 
advice here. 

Internet Explorer handles the client certificates fine, prompts me to select 
certificate on connection to the site and basically just works after that..

But when Firefox is set to Ask me every time instead of auto select client 
certificate I keep getting the select certificate pop up several(multiple) 
times per page request/load from the SSL secured Apache server.
There is only one certificate in the select from dialog, but it keeps prompting 
me and I can see it loading one and one item(image) on the website.
If i switch to Auto select certificate it works. But it would be nice not 
having the browser present the certificate without it being the users choice. 
And honestly, choosing it once per session per site should be sufficient

I should probably mention that the page served up is behind a mod_proxy module. 
But this content should not differ for Firefox, and certificate selection. Or 
does the mod_ssl module prompt for a client certificate for each item loaded ?

I have googled this but can't find any good answers.
Some say it is because of image objects loading. but why. 

Best regards

Jan Stian Gabrielli

Original Message ---
Hi,

Basically...

SSLCACertificateFile SelfSignedCA Root Cert (public part)
SSLVerifyClient require or optional
SSLVerifyDepth 1 (default)

and have the setup from the Thwate cert as per normal for the server cert.

Regards
Matt

- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Tuesday, September 23, 2008 1:39:16 PM
Subject: Re: Can i use CA signed cert to create client authentication 
certificates ?

Ok. This seems like a viable solution.
Ie.
I use an approved CA signed cert to verify the site auhtentisity, and i use a 
selfsigned CA root for client certificates.

Can you point me in a direction of how i make this work in apache ?.
I already have a setup with a Selfsigned CA working for client certificates.

Createed SelfSignedCA
|--Create and Sign Apache Cert from SelfSigned CA
|--Create and Sign Client Cert from SelfSigned CA

How do I incorporate this with a CA (thawte) signed webserver certificate ?.

Best regards

Wizkidnono

Original Message ---
Sounds like your trying to use the thawte apache cert to sign your client 
certs? The thawte cert won't have the right attributes to sign a client cert 
and then try to use it.

You could use your CA for client certs and Thawte for the server cert.

Regards
Matt



- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject: Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a third
party where one does not have access to their root ca key ?..

Ie.

I have generated a : apache_server.key made a apache_server..csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use

Re: Can i use CA signed cert to create client authentication certificates ?

2008-09-25 Thread Jan Stian Gabrielli 
Thank you very much Matt .
That solved it :).

I now have Client Certificate Authentication working with a CA signed 
certificate and a Self Signed CA which in turn signs client certs.

If i can only ask for a bit more advice regarding this setup ?.
Although I think this problem might be Firefox specific I'm hoping for some 
advice here. 

Internet Explorer handles the client certificates fine, prompts me to select 
certificate on connection to the site and basically just works after that..

But when Firefox is set to Ask me every time instead of auto select client 
certificate I keep getting the select certificate pop up several(multiple) 
times per page request/load from the SSL secured Apache server.
There is only one certificate in the select from dialog, but it keeps prompting 
me and I can see it loading one and one item(image) on the website.
If i switch to Auto select certificate it works. But it would be nice not 
having the browser present the certificate without it being the users choice. 
And honestly, choosing it once per session per site should be sufficient
 
I should probably mention that the page served up is behind a mod_proxy module. 
But this content should not differ for Firefox, and certificate selection. Or 
does the mod_ssl module prompt for a client certificate for each item loaded ?

I have googled this but can't find any good answers.
Some say it is because of image objects loading. but why. 
 
Best regards

Jan Stian Gabrielli

Original Message ---
Hi,

Basically...

SSLCACertificateFile SelfSignedCA Root Cert (public part)
SSLVerifyClient require or optional
SSLVerifyDepth 1 (default)

and have the setup from the Thwate cert as per normal for the server cert.

Regards
Matt

- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Tuesday, September 23, 2008 1:39:16 PM
Subject: Re: Can i use CA signed cert to create client authentication 
certificates ?

Ok. This seems like a viable solution.
Ie.
I use an approved CA signed cert to verify the site auhtentisity, and i use a 
selfsigned CA root for client certificates.

Can you point me in a direction of how i make this work in apache ?.
I already have a setup with a Selfsigned CA working for client certificates.

Createed SelfSignedCA
|--Create and Sign Apache Cert from SelfSigned CA
|--Create and Sign Client Cert from SelfSigned CA

How do I incorporate this with a CA (thawte) signed webserver certificate ?.

Best regards

Wizkidnono

Original Message ---
Sounds like your trying to use the thawte apache cert to sign your client 
certs? The thawte cert won't have the right attributes to sign a client cert 
and then try to use it.

You could use your CA for client certs and Thawte for the server cert.

Regards
Matt



- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject: Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a third
party where one does not have access to their root ca key ?..

Ie.

I have generated a : apache_server.key made a apache_server..csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use a 3rd party CA and only have apache_server.key,
apache_server.crt , thawte root cert.

Best regards

Wizkidnono
–œ…â'µêßiÇ­ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à 
.+-š‡l²[¬z»¡Û,–Šà ëh™«^t¸¬´Æ§j«™¨è­Ú¢j²Éh®


  
__
Apache Interface to OpenSSL (mod_ssl)  www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
–œ…â'µêßiÇ­ 
ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»¡Û,–Šàëh™«^t¸¬´Æ§j«™¨è­Ú¢j²Éh®


  
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Can i use CA signed cert to create client authentication certificates ?

2008-09-23 Thread Jan Stian Gabrielli 
Ok. This seems like a viable solution.
Ie.
I use an approved CA signed cert to verify the site auhtentisity, and i use a 
selfsigned CA root for client certificates.

Can you point me in a direction of how i make this work in apache ?.
I already have a setup with a Selfsigned CA working for client certificates.

Createed SelfSignedCA
|--Create and Sign Apache Cert from SelfSigned CA
|--Create and Sign Client Cert from SelfSigned CA

How do I incorporate this with a CA (thawte) signed webserver certificate ?.

Best regards

Wizkidnono

Original Message ---
Sounds like your trying to use the thawte apache cert to sign your client 
certs? The thawte cert won't have the right attributes to sign a client cert 
and then try to use it.

You could use your CA for client certs and Thawte for the server cert.

Regards
Matt



- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject: Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a third
party where one does not have access to their root ca key ?..

Ie.

I have generated a : apache_server.key made a apache_server..csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use a 3rd party CA and only have apache_server.key,
apache_server.crt , thawte root cert.

Best regards

Wizkidnono
–œ…â'µêßiÇ­ 
ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»¡Û,–Šàëh™«^t¸¬´Æ§j«™¨è­Ú¢j²Éh®


  
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
'���iǭ��^�$���l�\0�j��h�,z+�Ƣ�)�.+-��l�[�z���,����h��^t���Ƨj���j��h�

Re: Can i use CA signed cert to create client authentication certificates ?

2008-09-22 Thread Matt Stevenson 
Sounds like your trying to use the thawte apache cert to sign your client 
certs? The thawte cert won't have the right attributes to sign a client cert 
and then try to use it.

You could use your CA for client certs and Thawte for the server cert.

Regards
Matt



- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject: Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a third
party where one does not have access to their root ca key ?.

Ie.

I have generated a : apache_server.key made a apache_server.csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use a 3rd party CA and only have apache_server.key,
apache_server.crt , thawte root cert.

Best regards

Wizkidnono
–œ…â'µêßiÇ­ 
ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»¡Û,–Šàëh™«^t¸¬´Æ§j«™¨è­Ú¢j²Éh®



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]