I've been poking around the mailing list archives and haven't found anyone trying to do this, but it's probably that I am searching on the wrong terms. I've been creating normal certificate requests and keys for quite a while, but now I need to set up 'certificate based authentication' as described here: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC7 If I'm understanding correctly, the best way is to set up our own CA, using 'CA.pl -newca' and create the necessary certificate. It seems that the comments in CA.pl are relevant in that it recommends doing this: CA.pl -newca CA.pl -newreq CA.pl -sign First of all, is that the process I want to follow? Second, what do I need to use as the CN for the CA cert created in the first step? Does it need to be a valid hostname, like in a normal site certificate? Third, what do I actually distribute to the clients that need to authenticate? I end up with newcert.pem and newreq.pem. Do they get the cert? Do I need to change it to a different format first? And finally, is there a good source of documentation describing how to import one of these certs into various types of browsers? Thanks, Ben -- Ben Beuchler There is no spoon. [EMAIL PROTECTED] -- The Matrix ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
