drt rappanah wrote:
> The client has its certificate installed in the browser. He asked the
> Netscape Certificate Server for a certificate and then installed it in the
> Browser.
>
> Sorry, I miss someting about the authentication chain.
> The Apcahe server got a certifcate from the Netscape Certificate Server.
> Does the server verify the client certificate by contacting the Netscape
> Certificate Server ?
> Does the client verify the sever certificate by contacting the Netscape
> Certificate Server ?
Verfication is done entirely in the server or client - they don't go
scooting about the web looking for Certificate Authorities... Browsers
usually have lots of CA certificates already installed (if you use
netscape, click on the wee padlock on the toolbar and see what happens).
Your browser will trust all websites using a certificate signed by a
known CA.
You want to do the converse of this - your server should verify clients
who have Netscape certificates. So your server needs a CA certificate
from Netscape.
> You suggest me to configure the SSLCACertificatePath...
> What does it mean ?
> Should I import all the client certificates of the Netscape Certificate
> Server in the directory conf/ssl.crt ?
This is where you put the CA certificate - NB you do not need all the
client certificates!
Did you read http://www.modssl.org/docs/2.7/ssl_reference.html#ToC13?
What you are trying to do is quite complicated and you should really
make sure you understand how it all works before going live. Reading the
documentation is meant to be the first step, not the last resort...
Regards,
Owen Boyle.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
