Re: Creating client certificates ?

2002-04-04 Thread haldor 

here is what i did to generate client sertificates. be aware of the 
clientakey.pem and clienta.pem are two different files.

1. openssl req -new -out clienta.csr -keyout clientakey.pem

Enter the details for the certificate, i.e common name being the 
client/employee, \
Joe Bloggs.

2. openssl x509 -req -in clienta.csr -out clienta.pem -CA 
YOUR_SERVERS_CERTIFICATE \
-CAkey YOUR_SERVERS_PRIVATE_KEY -CAcreateserial -days 365 -outform PEM

3. openssl pkcs12 -export -in clienta.pem -out clienta.p12 -inkey 
clientakey.pem \
-name Joe Bloggs

Distribute clienta.p12 (rename clienta.p12 to Joe_Bloggs.p12) to 
client/employee.

Haldor.

On Thu, 4 Apr 2002 01:43:05 +0200 (MEST) [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
 
 Hello modssl users !
 
 I managed to set up an ssl aware web server.
 Although I searched the web and also the list
 archive I haven't been able to create a client
 certificate which is signed by my own CA for
 client authentication.
 
 Could someone describe the process of creating
 such a certificate in detail ?


Thank you Owen for your answer but you misunderstood
my question.
And you Maik misunderstood my question, too.
I, of course, read the FAQ and all the other available docs
but they say nothing about creating client (!) certificates !
The process of creating a server certificate is sufficiently
documented in the FAQ and it was no problem for me to
create it.

My question is: How can I create client (!) certificates for
 client authentication to the server and not
 server certificates ?!

Anyone ?

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Problems with Client authentication and access control

2002-04-03 Thread haldor 

Hello.

I have successfuly done Client Authentication using client certificates with 
apache-openssl-modssl. 

SSLVerifyClient  none
Directory /usr/local/apache/htdocs/secure/area
SSLVerifyClient  require
SSLVerifyDepth   5
#SSLCACertificateFile conf/ssl.crt/ca.crt
#SSLCACertificatePath conf/ssl.crt
SSLOptions   +FakeBasicAuth
SSLRequireSSL
SSLRequire   %{SSL_CLIENT_S_DN_O}  eq Snake Oil, Ltd. and \
 %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev}
/Directory

The definition of SSLCACertificateFile and SSLCACertificatePath are above in 
the httpd.conf file. 
When i try to connect to https:/www.xxx.xx/secure the server asks for the 
certificate, validates it and show index.html in the secure directory. 
Everything seem to work fine.

But when i do a http://www.xxx.xx/secure I can still see the index.html. 
According to my understanding the index.html in the secure directory should not 
be shown. Can anyone help me with this? Is there anything more i should do to 
prevent access from http on the secure directory?

Thanx 
Haldor Husby.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]