Good evening,
I've been trying to make sense of the various pieces of documentation
but I still don't have a comfortable understanding of certificates. My end
goal is a have an intranet environment where users are authenticated and
given a certain level of access based on a certificate. I'll detail what I
think I know, please let me know if my understanding is flawed.
Once I installed the server I have an SSLCertificateKeyFile which
contains the server's private key and is used to prohibit random people
from starting the server. I also have an SSLCertificateFile which is the
public certificate (signed Versign, et. al. or in this case myself with a
ca.crt that I generated). This certificate has the public key which
matches the private key in SSLCertificateKeyFile.
The next step would be to create a certificate for each user (in my case
signed by myself). For each user I need to create a separate blah.crt CA
certificate (different from the CA cert I generated for the server in the
previous paragraph) that goes into SSLCACertificatePath and is used to sign
a certificate that is given to the user. Each user then imports the
certificate and when they connect their certificate is authenticated with
the corresponding CA certificate. I can then drop in some arbitrarily
complex directives into Apache to control access as described in How-To of
the manual. If a user goes away, I can always then move the CA cert into
SSLCARevocationPath.
Is any of this off-base?
The SSL docs that I've read don't talk about situations where both ends
have certificates. How does that work? For example, when data goes from
server to client, is the data encrypted with the server's private key or
the client's public key?
What format of certificates does recent versions of Netscape or IE
prefer to import?
TIA
john.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
