Google Answers Logo
View Question
 
Q: mod_ssl ( Answered,   0 Comments )
Question  
Subject: mod_ssl
Category: Computers > Security
Asked by: dannyrg27ps-ga
List Price: $10.00
Posted: 02 Jul 2002 05:34 PDT
Expires: 01 Aug 2002 05:34 PDT
Question ID: 35766
step by step guide to setting up client certificates
Answer  
Subject: Re: mod_ssl
Answered By: wengland-ga on 12 Jul 2002 08:04 PDT
 
Greetings!

We're going to begin by assuming you have Apache running with mod_ssl
installed and properly configured, and you have a valid CA set up
already.

I'll address your question in two parts.

First, how to set up mod_ssl to accept or require client certificates:

"When you know your user community (i.e. a closed user group
situation), as it's the case for instance in an Intranet, you can use
plain certificate authentication. All you have to do is to create
client certificates signed by your own CA certificate ca.crt and then
verifiy the clients against this certificate. "

Place the following entry in your httpd.conf:


#   require a client certificate which has to be directly
#   signed by our CA certificate in ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile conf/ssl.crt/ca.crt

From the mod_ssl website documentation, Chapter 5
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6

If you require more detailed or complex configurations, visit the
above link.  They give directions for sectioning off the website,
using HTTPS and more.

Second, we need to create the user certificates.  This process vaires
depending on which browser the client is using.  You will use OpenSSL
directly for this step.  The general idea is that the user goes to a
web page with an HTML form, fills in their information, and on
submission of the form, a certificate is created and downloaded to the
browser.

The step by step directions are at the SSL Cookbook site:
http://www.pseudonym.org/ssl/ssl_cook.html#client_certs

With explicit examples and code and HTML for Netscape at:
http://www.pseudonym.org/ssl/ssl_nsclient_certs.html

And for IE at:
http://www.pseudonym.org/ssl/ssl_msclient_certs.html

If you have any further questions or need clarification, don't
hesitate to ask!

Thanks!


Search Terms Used:
openssl create client certificate
create client certificates mod_ssl
mod_ssl
Comments  
There are no comments at this time.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy