Re: Just some thoughts and questions...

Mon, 21 Sep 1998 08:09:39 -0400 

On Mon, Sep 21, 1998, Mario Filipe wrote:

>[...]
> So far we are using mod_ssl just to check passwords and send the most important
> that through it but we would like to have more.
> 
> We would like to force people to get a certificate signed by us to have access
> to the system. I think this is possible (there is one directive
> SSLVerifyClient). The problem is on the client side. I think that the
> certificates after being signed by us must be imported into netscape (let's
> forget ie for now). First Question: How do i generate a certificate and import
> into netscape (using ssleay)?. 

There are two ways: You can setup some CGI scripts and load the certs with the
`application/x-x509-user-cert' MIME type into Netscape (this approach is more
complicated) or you bundle the cert and key into a PKCS#12 file and import it
into Netscape (works for latest Communicator versions and even MSIE).  I
personally prefer the second approach. All you have to do is to build the
excellent pkcs12 program (it's not part of SSLeay). It can be found under
http://www.drh-consultancy.demon.co.uk/pkcs12faq.html or alternatively it also
stays under the mod_ssl->Distrib->Misc area on my website.  The best reference
for the first approach is Frederick J. Hirsch's article (the URL can be found
        under mod_ssl->Related->HowTo).

> Another question that i have is how do i tell netscape that I know a new CA (me
> in this case) and i want it to accept it's certificates?

When you use the PKCS#12 import/export format you can put the CA cert into the
export file together with the client cert/key.  This way Netscape
automatically loads the CA cert, too. For the first approach above you have to
load the CA cert with the MIME-type, too. In other words you have to load the
CA cert and the client cert the same way.

> P.S : Do you think We're exagerating on the security we're trying to build into
> this thing ? Thanks!

No, why shouldn't you. Running your own CA for your closed user group is the
standard approach when you don't want to force your users to buy certificates
from third-party CAs.
                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]

Reply via email to