Hello, sounds for me a little bit complicated. Isn't it enough to protect the server for example with .htaccess and each person will get its own username / password. Moreover normally the certificate request is to be checked at the ra site thus you could only prevent someone from bringing in a lot of sensless requests but the authentication of the person is not recognized to the certificate request.
Perhaps it helps you to have a look at the OpenCA Guide: https://www.openca.org/projects/openca/openca-guide.pdf Chapter 1.2.3 on page 47 Kind regards, Matthias On 4/17/07, Arsen Hayrapetyan <[EMAIL PROTECTED]> wrote: > Hello, > > I have the following problem. > I have deployed the OpenCA public interface on my machine (with OpenCA > 0.9.3-rc1). > This interface has pages where system administrators can request > certificates for hosts and services. > I need to restrict access to these pages to the persons, possessing a > valid personal certificate from a particular CA. For the rest of the > pages the certificate (imported in the browser) should not be required. > I am considering the following scenario: > > 1) The user imports his personal certificate from CA into the browser. > 2) He types in the URL into browser's address bar: > https://myserver.am/cgi-bin/pub/pki?cmd=basic_csr&CSR_PROFILE=HOST > > 3) OpenCA checks, that the request is made to the host CSR page > (examining QUERY_STRING variable, which in this case is set to > "cmd=basic_csr&CSR_PROFILE=HOST"). Then OpenCA checks the user's > certificate (examining the variable OPENCA_AC_CHANNEL_SSL_CLIENT_S_DN). > If there is valid certificate, the host CSR page is returned, otherwise > the error message is generated, which states, that user must have valid > certificate imported into his browser. > > The question is: how the third step can be implemented? Which script has > to be modified (where the QUERY_STRING and certificate data should be > checked? As I can see, the CGI initialization is performed be initCGI > script, which is loaded by 'require "$common_libs/initCGI" ' statement > in "pki" script) > > I am sorry, if this question suits more for developer's mailing list, > than the user's one. > > Any help will be appreciated. > Arsen. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
