On 04/14/2011 12:46 PM, Gordon Sim wrote:
On 04/13/2011 07:36 PM, Jakub Scholz wrote:
Due to the points above, I would prefer to use a solution, when the
client generates an self signed certificate with the assigned username
in certificate subject and delivers the public key to me. I will check
that the username in the certificate is as assigned to the client and
load the public key into the certificate database as a peer (flags p
or P - as they are supported by the certutil tool). Then, when the
client connects, his key is verified not against the CA public key,
but against the public key of his own certificate. And since the
certificate is loaded as peer and not trusted CA, the client cannot
use any other certificates signed by the original certificate to
connect. As far as I understood from the NSS documentation, this is
exactly how the peer certificates should be used. However, the broker
seems to be accepting only the trusted CA certificates and ignoring
the peer certificates :-(.
Hmm, I hadn't tried that configuration before but I see what you mean.
The client seems happy with having the servers certificate imported as a
peer certificate, but not vice versa. I'll see if I can dig into this a
little further.
NSS is apparently unable to support this. I.e. a certificate can't be
marked trusted for SSL client authentication, only for server client
authentication or as a CA (or for email or code signing outside of SSL).
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
