You can use self-signed client certs too. You just have to explicitly tell Apache what to trust and what not to trust. You can also use your own in-house CA, if applicable.
Issac On 20/11/2010 22:55, Rob Lemaster wrote: > Thanks for that explanation Graham! > > I wasn't thinking in terms of CA-signed certificates like you and > Issac pointed out, but more of a PGP-type model, where I could use my > own self-signed public/private key pair created in Firefox to > authenticate to many web sites. I realize that self-signed certs > aren't as secure (from the server's point of view), but I could > authenticate and answer pre-assigned secret questions before uploading > my public key to confirm my identity before the server accepts it. I'd > still be grateful for the additional security of CA-signed certs if my > bank and Paypal would use them.. > > -rob > > On Sat, Nov 20, 2010 at 12:42 PM, Graham Leggett <minf...@sharp.fm> wrote: > >> mod_ssl is used solely for https, yes, but the feature you're looking for is >> built into https by default already. >> >> Certificates work symmetrically, both sides have the power to require the >> other side to present a valid certificate. >> >> In the case you might be most familiar with, only one side has a certificate >> (the server). The other side (the browser) has no certificate. In this >> scenario, the browser can be sure it is speaking to the right server, >> because the server presented a signed certificate, but the server has no >> idea about the browser. Usually, some other authentication mechanism is used >> to identify the browser, of varying strengths (passwords, etc). >> >> In the case you want however, both sides of the connection are configured to >> require a certificate from the other side. The certificates do the same job >> as the keys that are exchanged in your SSH configuration, they allow the >> other side to say "yup, I trust you", and that trust works both ways. >> >> Unlike an SSH key however, a certificate contains embedded within it details >> of the person (or thing) that owns the certificate, but these are details as >> far as the protocol is concerned. >> >> Regards, >> Graham >> -- >> >>
