> I need to set up secure access to Web accessible database.
> I'm going to be using Apache on a Linux machine, which I have
> already started trying out with bogus certificates. However,
> I need some help on the client side.
Not quite sure what you mean by bogus certificate.
> I know that both Netscape and IE support client certificates,
> but I don't know how it works exactly. How is it that a certificate
> cannot be copied between browsers?
Nothing prevents a certificate being copied between browsers. Client
authentication works because it proves that the client is in possession
of both the certificate and the associated private key.
The protection of this private-key is what's important here. You may
rely on the hardware being physically secure to prevent the key being
stolen, or on the operating system, or require that the private-key be
stored on a smart-card. However you do it, your guarentee of client
id is only as secure as that private key.
> Do Netscape & IE generate a unique ID key?
Nope.
> Any pointers to docs on how to set that up? Maybe a client-request
> web page?
It's pretty easy to create certificate requests using a web-page and
the openssl command line tool. Look at the documentation for 'req'.
I use a simple perl script to process the contents of the web-page
and generate the request.
> In any case, how do the certificates get to the clients once
> I've signed them?
However you like, it's probably worth converting them to PKCS#12 as
you'll need to provide them with the private-key as well (and this is
the format browsers like to be provided client certificates). You can
do this using the openssl 'pkcs12' command (again see the docs).
E-mail attachments are generally a fairly reliable means of returning
the appropriate data.
> How do I know that I'm giving the certificate to the browser that
> requested it?
You get them to include a password in the request, which is used to
encrypt the private-key. Without that password, the private-key is
of no use to them and they can't perform client authentication.
The real big question, is how do you know that they are who they claim
to be when they make a certificate request.
- Dale.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
