> The apache/mod_ssl "HowTo" states that a directory can be > defined to require
>clients to be authenticated for a particular
> URL based upon client certificates signed by a certificate
> specified by the keyword SSLCACertificateFile. I assume
> that this implies that I can use my own self-signed CA cert
> file to sign these client certificates. A really nice feature for
> internal control of data on the intranet.
That's right.
> Now what is the secret to get the Microsoft Explorer (5.+) to
> accept these client certificates and pass them to the https
> server? The explorer pops up a dialog box asking which cert
> to use (which is good) when I connect to the https server
> with the URL of the protected directory, however nothing is
> in the dialog box to select!
The empty dialog is a bug. It has been fixed in the most
recent release of IE.
However, the reason IE doesn't display any certificates in the
dialog is not a bug, read on.
i.e. The bug in IE is to display a dialog when it's clear there is
nothing to the user can do.
> No matter what I do, I cannot import a client cert into the
> explorer and have it end up in the dialog box. Is this
> another one of those internal Microsoft secrets or another
> clever "feature" forcing the world to pay for commercial
> grade client certificates?
Poor (yeh right) old MS, they get blamed for some terrible
things, but no this isn't a clever feature of IE. As far as I
know MS are not in league with the commercial CA's.
There are several things that could be wrong.
1. Did you successfully import your client certificate into your
personal certificate store?
You should be able to see your certificate listed if you look
under Tools; Internet Options; Content; Certificates; Personal
Certificates (o something like that - I'm working from memory
here).
When you import your certificate, you need to import it in
PKCS#12 format so that you include the private key associated
with the certificate.
To convert a PEM certificate/private key pair to PKCS#12
format, use the 'openssl pkcs12' command. As I'm ill and
working from my PDA and so can't remember the exact
arguments atm, but a quick search of the archive will turn up
recent posts on how to use this command. Or you can look
at the docs.
2. Have you imported the CA certificate onto the client PC?
I'm not 100% on this one, but I'm pretty sure IE won't use a
client certificate that it doesn't trust. You obviously don't
need to import this certificate as PKCS#12 with the CA's
private key. Importing the PEM certificate should be OK.
I seem to recall a problem with IE when trying to import PEM
certificates that include other text (like a human-readable form
of the certificate) before the BEGIN CERTIFICATE line. Just
remove all these lines and you should be OK.
3. Does the keyUsage attribute on the client certificate
include the authenticate and encrypt roles? What about
the extendedKeyUsage?
keyUusage et al. is a non-authenticated attribute, so you can
change the current value from within the IE certificate
manager.
Alternatively, you can set these attributes when you create
your certificates. Look at the openssl.cnf supplied. It includes
an example of setting these attributes.
4. Does your server trust the CA used to sign the client
certificate?
The SSL protocol sends a list of CA's that the server trusts
to the client when a client tries to access a resource that
requires (or requests) a client certificate. In this way, the
client will not choose a certificate that the server will find
unacceptable.
This is the most common source of confusion with client
authentication.
I'm not sure about how to set-up the trusted certificates in
Apache, look at your docs for this one.
- Dale.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
