Hi Folks,
I need to do something similar like Norbert has done (detailed below), i.e.
request & authenticate a client certificate for a specific subtree of the
web server (for eg. the Payment Page of a site ).
Could somebody clarify these doubts :
1. Is this implemented as part of the server configuration or is it part of
the HTML page that needs the client authentication.
2. How can I have the same web server talk different protocols : HTTP, HTTPS
with only server authentication and HTTPS with client authentication for
different parts of my web site ?
3. Where and how is the Logic to read certificates presented by the client
placed, and how can I give access depending on the CA who issued a
certificate ?
Thanx for the help.
Regards
Amol
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of George Lu
Sent: Thursday, March 30, 2000 2:50 AM
To: [EMAIL PROTECTED]
Subject: Re: Verify Client
I tried things similar. I use my own CA, whihc is self signed, and my server
and client signed by my CA. I then point SSLCertificateFile, and
SSLCertificateKeyFile to my server crt and key, and the
SSLCertificateChainFile to my CA cert. using openssl I connect to my server
with
openssl s_client -connect localhost:8443 -state -cert client.crt -key
client.key
I get error msg:
verify error:num=19:selfsigned certificate in certificate chain
and the SSL_engine_log says:
unable to get local isser certificate.
Thanks for help.
Norbert Wegener wrote:
> I have setup my apache+mod_ssl (for the first time), created my own ca
> and server certs.
>
> Now I want to grant access to a specific tree of my webserver only to
> those clients, which have a cert from my ca.
> I thought
> <Directory /web/securearea>
> SSLVerifyClient require
> SSLVerifyDepth 1
> </Directory>
>
> would do the job, created a client cert and imported into a browser.
> Using this cert I can access the protected area of my server.
> Unfortunately I am requested for a certificate for every
> subsequent access to that area. This is something, which I think is not
> very userfriendly.
> Is there a more userfriendly way to deal with this situation?
>
> Thanks
> Norbert Wegener
>
> --
> Norbert Wegener Fax : (49) 201 2661 377
> SBS Essen Phone:(49) 201 2661 379
> Germany Mail: [EMAIL PROTECTED]
> http://relax.sbs.de (intranet)
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
--------------------
George Lu
Oracle
503 525 3193
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
