Later than SSL v1, whether a cert is a ca cert or not is specified in the
attribute. If your cert is not a ca cert, it is not recommended to use it
for signing. The cert is signs may have trouble with browsers.
-----Original Message-----
From: Ralf S. Engelschall <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Sunday, February 28, 1999 1:01 PM
Subject: Re: mca...
>On Fri, Feb 26, 1999, GOMEZ Henri wrote:
>
>> I grab many part of ssl_mod to develop a ssl proxy using certificates to
>> restrict access to internal resource
>> (http://www.multimania.com/jonama/)...
>>
>> Questions :
>>
>> 1) It's not clear is if SSLCACertificatePath must point to a directory
>> with client certs or a directory with well-known CA certs (ie
>> Thawte/Verisign..).
>
>A dir with known CA certs.
>
>> 2) Did mod_ssl need hash filename in CAPath since it parse all files in
>> the directory ???
>
>It parses the files to construct the CA _list_, but
>OpenSSL later needs the hash links to _access_ the files.
>
>> 3) When and where the client certificate verification is done in mod_ssl
>> ?
>
>Inside the function ssl_callback_SSLVerify
>
>> 4) I've got a WebServer certificate from Thawte. Can I use it or modify
>> it to sign my own certificates ???
>>
>> 1) Thawte
>> 2) my WWW certificate
>> 3) my clients certs
>
>You can't modify it after it's signed, of course. But you
>theoretically could use it to sign other certs, yes.
>
> Ralf S. Engelschall
> [EMAIL PROTECTED]
> www.engelschall.com
>______________________________________________________________________
>Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
>Official Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
