i want to limit clients access to my web server by install certificate to their browser.
thanks for the advice martin, i will start doing my home work now. cheer On Fri, 2005-11-11 at 09:55 +0100, Martin Bartosch wrote: > Hi Christopher, > > > since "one certificate per IP" mean i will able to create only 1 > > certificate and send to my partners. for those who do not have the > > certificate will not be able to access my web server? > > definitely not. If I understand you correctly, you want to enable > client authentication. In this case you should create and deliver > individual SSL Client certificates to each individual client. > > What Oliver meant is that it is not(*) possible to define multiple > SSL-protected virtual hosts on one single IP that use different > server certificates. > > (*) This has been addressed in an RFC, IIRC, but is not widely supported > by today's browsers. > > > so do i still need to use virtual host for my web server? > > Although it is possible to configure SSL without a VirtualHost > definition, it is common practice to use a VirtualHost section > for this, and I'd recommend to do so. > > It is not very clear what you want to achieve. Do you want to simply > protect your web server with SSL (Server Authentication) or do you > also want to limit client access by forcing them to authenticate > with a valid certificate installed in their browser (Client > Authentication)? > > To me it seems you have not read the excellent mod_ssl documentation, > this is really helpful and the canonical source of information for > this topic. > > Don't take this personal, but from the questions you have been > posting on this list during the past weeks I get the impression that > you are not very familiar with the whole topic of SSL, PKI, Apache > and Unix. > You should be aware that it is very unlikely that you will end up > with a secure solution by applying trial & error. > You will very likely end up with something that somehow works, but > it is very doubtful that it will work securely. > If you intend to set up something serious I strongly recommend either > to learn much more about the underlying technology (PKI, SSL, > mod_ssl, Apache) or involving someone who is proficient with the > topic. > > cheers > > Martin > > > > ------------------------------------------------------- > SF.Net email is sponsored by: > Tame your development challenges with Apache's Geronimo App Server. Download > it for free - -and be entered to win a 42" plasma tv or your very own > Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
