> I need to configure my server to request to client > a certificate from a CA different from that of the > server identifing cert (a self signed one). > ... > Can somebody help me to configure this list in apache mod_ssl?
See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile and related directives. That just configures the CAs from whom you will accept client certificates. http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient is the directive you need to send a "request certificate" directive to the client. In my experience "optional" can lead to a better user experience, but not all clients (ahem, Safari 3.2, 4.0) understand it. > I want apache to ask to client the cert from CA of the cert on SmartCard. > It's possible? Sure it's possible, but it is entirely outside of the purview of either your Web server or CAS. We use certificates on a USB security token device (eToken Pro), and the client software that integrates with the browser is always the weakest link in the process. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
