--- Original Message ---
> I've been trying to make sense of the various pieces of documentation
>but I still don't have a comfortable understanding of certificates. My
end
>goal is a have an intranet environment where users are authenticated and
>given a certain level of access based on a certificate. I'll detail what
I
>think I know, please let me know if my understanding is flawed.
> Once I installed the server I have an SSLCertificateKeyFile which
>contains the server's private key and is used to prohibit random people
>from starting the server. I also have an SSLCertificateFile which is the
>public certificate (signed Versign, et. al. or in this case myself with a
>ca.crt that I generated). This certificate has the public key which
>matches the private key in SSLCertificateKeyFile.
So far, this is correct. (The 'used to prohibit random people from
starting the server' is based on knowledge of the passphrase that was used
to encrypt the server's secret key -- it's possible to bypass the
requirement for the passphrase to be entered, by not encrypting it. Not
recommended.)
> The next step would be to create a certificate for each user (in my
case
>signed by myself). For each user I need to create a separate blah.crt CA
>certificate (different from the CA cert I generated for the server in the
>previous paragraph) that goes into SSLCACertificatePath and is used to
sign
>a certificate that is given to the user. Each user then imports the
>certificate and when they connect their certificate is authenticated with
>the corresponding CA certificate. I can then drop in some arbitrarily
>complex directives into Apache to control access as described in How-To
of
>the manual. If a user goes away, I can always then move the CA cert into
>SSLCARevocationPath.
Okay, here's where it gets tricky.
In order to do this, you need to get the -client- to generate a key pair,
such that the secret key is never seen by the server. The ways of doing
this are different for each browser; I found documentation at one point,
but then had to move and lost track. However, both Netscape and MSIE have
documentation on their sites for how to deal with it. (If you're
confused, you can go to Thawte.com, register for their Freemail system,
and then look at the HTML that they generate.)
What happens is the CSR (which includes all the information that goes into
the eventual X.509 cert) gets sent to the server, which then (hopefully)
validates the information and then invokes the cert signing process on the
CSR. Then, the user goes back and imports the cert from the same browser
they used to generate the CSR (this is important, because their secret
keys are not easily moved from place to place). Again, if you need to
figure out how to do this, looking at Thawte.com is not an unreasonable
place to start.
(A hint: MSIE does the import via an ActiveX control, while Netscape seems
to do it via a .crt file. I've not played with this much.)
> Is any of this off-base?
> The SSL docs that I've read don't talk about situations where both
ends
>have certificates. How does that work? For example, when data goes from
>server to client, is the data encrypted with the server's private key or
>the client's public key?
Read the TLS1 spec; it describes this subject in detail. (First, the
client asks the server to authenticate itself, which it does by presenting
its certificate, the client verifying the certificate and then encrypting
a random session key with the public key in the cert it received, and the
server decrypting that and thereby going into encrypted mode. Then the
server asks the client to authenticate itself the same way, possibly with
changing the keys/ciphers used for that channel.)
Neither of the public/private keys are used for more than authentication;
a random session key is created for each channel (to or from). Once the
client's authenticated, there's no need to worry about it -- but either
side can force a change in the cipher used, any time it wants.
> What format of certificates does recent versions of Netscape or IE
>prefer to import?
I don't know the latest answer to that question.
>TIA
>john.
-Winged Wolf
smime.p7s
