Hi.
We were having a similar problem and worked around by changing the
Apache config. It's probably not the best solution but it worked for us
without having to dig too deep into the OpenCA configuration and
possibly break our whole infrastructure...
These are the important settings in the httpd.conf:
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCACertificateFile /opt/openca924/var/crypto/chain/cacert.crt
<Location /<the path you want to restrict>
SSLVerifyClient require
SSLVerifyDepth 1
SSLRequire \
%{SSL_CLIENT_S_DN} eq "<the dn you want to allow>" \
or %{SSL_CLIENT_S_DN} eq "<another dn you want to allow>"
</Location>
It should be possible to use a regular expression for the SSLRequire
option, I'm just not sure about the syntax...
Cheers,
Markus
On Thu, 2007-04-26 at 19:44 +0500, Arsen Hayrapetyan wrote:
> Hello Matthias,
> Thank you for response.
> > Hello,
> >
> > sounds for me a little bit complicated. Isn't it enough to protect the
> > server for example with .htaccess and each person will get its own
> > username / password.
> The thing is that I am going to restrict the access on some public
> interface pages,
> for example: there is a page for requesting a certificate for hosts.
> The pre-condition for requesting such a certificate is that the person,
> accessing the page MUST have a valid certificate from my Certification
> Authority (CA), with OU=SA (site administrator) in certificate subject
> DN, imported into his browser. I would like to inspect the DN of
> client's certificate and, if it matches the criteria I need, provide him
> with the request form, otherwise show him an error message (page),
> describing the reason for denying the access to the form (invalid
> certificate, absence of imported certificate, etc.) I cannot contact
> each site administrator to tell him the username and the password.
> > Moreover normally the certificate request is to be checked at the ra
> > site thus you could only prevent someone from bringing in a lot of
> > sensless requests but the authentication of the person is not
> > recognized to the certificate request.
> >
> > Perhaps it helps you to have a look at the OpenCA Guide:
> >
> > https://www.openca.org/projects/openca/openca-guide.pdf
> >
> > Chapter 1.2.3 on page 47
> >
> This chapter tells about accessing the interface with X.509 certificates
> by the manager (CA operator, RA operator, etc.), not the user (client,
> requester), doesn't it?
>
> Best regards,
> Arsen.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Openca-Users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openca-users
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
