Hello, I have the following problem. I have deployed the OpenCA public interface on my machine (with OpenCA 0.9.3-rc1). This interface has pages where system administrators can request certificates for hosts and services. I need to restrict access to these pages to the persons, possessing a valid personal certificate from a particular CA. For the rest of the pages the certificate (imported in the browser) should not be required. I am considering the following scenario:
1) The user imports his personal certificate from CA into the browser. 2) He types in the URL into browser's address bar: https://myserver.am/cgi-bin/pub/pki?cmd=basic_csr&CSR_PROFILE=HOST 3) OpenCA checks, that the request is made to the host CSR page (examining QUERY_STRING variable, which in this case is set to "cmd=basic_csr&CSR_PROFILE=HOST"). Then OpenCA checks the user's certificate (examining the variable OPENCA_AC_CHANNEL_SSL_CLIENT_S_DN). If there is valid certificate, the host CSR page is returned, otherwise the error message is generated, which states, that user must have valid certificate imported into his browser. The question is: how the third step can be implemented? Which script has to be modified (where the QUERY_STRING and certificate data should be checked? As I can see, the CGI initialization is performed be initCGI script, which is loaded by 'require "$common_libs/initCGI" ' statement in "pki" script) I am sorry, if this question suits more for developer's mailing list, than the user's one. Any help will be appreciated. Arsen. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
