Re: client certificates

Lutz Jaenicke Mon, 10 Jul 2000 23:51:57 -0700
On Tue, Jul 11, 2000 at 08:32:09AM +0200, Thomas Barthel wrote:
> Hello,
> 
> I have installed apache with mod_ssl and it works well.
> Now I create client certificates with openssl and want
> to send them with "application/x-x509-user-cert" to the
> browser. I tested DER, PEM and PKCS12 but nothing really
> worked. Netscape says it doesn't know the corresponding 
> private key and Internet Explorer either wants to save
> my *.cgi-file or holds on loading and does nothing.
> There is no problem when I save the certificate on disk
> and import it by hand (neither IE nor Netscape).

For all these operations you must be aware that two different items
are needed:
- the private key (secret)
- the public key (included in the "certificate")

If you only download the user-cert, the corresponding private key
is missing, this is what Netscape tries to tell you.

Netscape does have its own function to generate a private/public
key pair. It then keeps the private key and includes the public
key with a "request". The request is then signed by the CA and
sent back to Netscape, which still has the private key.
This is used by several CA packages.

Hmm, I don't know, whether you can also download the private key
via an "application/x-x509..." transfer, I only ever used the
PKCS12 way. It however would not make sense to have such a function,
since the private key of the user should only be known to him.
If somebody else created it it is worthless.

Best regards,
        Lutz
PS. Having this said, for several of my DAUs I have created the keys
and the computer center of our university offers the same service for
those who don't know how to create such a key...
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
Re: client certificates

Reply via email to
