Re: Does this CA process make sense?

Thu, 12 Jul 2001 10:47:39 -0700 

On 11 Jul 2001, at 9:51, Lutz Jaenicke wrote:

> On Tue, Jul 10, 2001 at 06:12:09PM -0400, Dan Langille wrote:
> ...
> > I imported iestuff.p12 into my MSIE browser and select that certificate 
> > when prompted by the browser.
> > 
> > I then used the following SSL related values in my SSL vhost:
> > 
> >         SSLEngine       on
> >         SSLCertificateFile      /home/dan/CA/demoCA/cacert.pem
> >         SSLCertificateKeyFile   /home/dan/CA/demoCA/private/cakey.key
> > 
> >         SSLCACertificatePath    /home/dan/CA/demoCA/
> >         SSLCACertificateFile    /home/dan/CA/demoCA/cacert.pem
> > 
> >         <Location /securelocation>
> >                 SSLVerifyClient require
> >                 SSLVerifyDepth  1
> >         </Location>
> > 
> > Note that I'm using the CA certificate and key for the SSL and the 
> > SSLCA information.  Does that make sense?  I tried this:
> > 
> >         SSLCACertificatePath    /home/dan/CA/
> >         SSLCACertificateFile    /home/dan/CA/newcert.pem
> > 
> > But if I use that combination, my browser certificate is not listed in the 
> > "Client Authentication" dialog box presented by the browser when I go 
> > to /securelocation.
> > 
> > Why?  What have I misunderstood?
> 
> You should use three distinct certificates (and corresponding private keys):
> * The CA certificate. You already have one, use it with SSLCACertificateFile

        SSLCACertificatePath    /home/dan/CA/demoCA/
        SSLCACertificateFile    /home/dan/CA/demoCA/cacert.pem

> * The server's certificate. You don't have one by now. Create a new one
>   signed from your CA. Issue it for CommonName (CN) being the FQDN
>   (fully qualified domain name) of your server: Use it with
>   mv newkey.pem server_key.pem
>   mv newcert.pem server_cert.pem
>   SSLCertificateFile /path/to/server_cert.pem
>   SSLCertificateKeyFile /path/to/server_key.pem

        SSLCertificateFile      /home/dan/CA/server_cert.pem
        SSLCertificateKeyFile   /home/dan/CA/server_key.pem

> * The client key. You already put it into iestuff.p12...

Done.  Thank you.  That's working fine now.  I see what I was doing 
wrong.  I was swapping the server and CA certificates.  That's why the 
browser did not list any certificates when I visited the secure area of the 
site.

cheers

-- 
Dan Langille
pgpkey - finger [EMAIL PROTECTED] | http://unixathome.org/finger.php
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to