On Sat, Mar 06, 1999, Mario Fabiano wrote:
> I want to authorise specific clients to access a certain directory
> relying upon their certificates.
>
> >From the apache-mod_ssl httpd.conf configuration file:
> # FakeBasicAuth:
> # Translate the client X.509 into a Basic Authorisation. This means
> that
> # the standard Auth/DBMAuth methods can be used for access control.
> The
> # user name is the `one line' version of the client's X.509
> certificate.
> # Note that no password is obtained from the user. Every entry in
> the user
> # file needs this password: `xxj31ZMTZzkVA'.
>
> I can't understand what I should put into my /etc/httpd/passwd and
> /etc/httpd/group, and how I can get the `one line' version of the
> client's X.509 certificate.
Why do you dislike the mod_ssl User Manual ? ;-)
| When this option is enabled, the Subject Distinguished Name (DN) of the
| Client X509 Certificate is translated into a HTTP Basic Authorization
| username. This means that the standard Apache authentication methods can be
| used for access control. The user name is just the Subject of the Client's
| X509 Certificate (can be determined by running OpenSSL's openssl x509
| command: openssl x509 -noout -subject -in certificate.crt). Note that no
| password is obtained from the user. Every entry in the user file needs this
| password: ``xxj31ZMTZzkVA'', which is the encrypted version of the word
| ``password''.
So, you've to first run the x509 program to determine the Subject DN, then
enter this DN followed by a colon followed by xxj31ZMTZzkVA into the
/etc/httpd/passwd file.
PS: Before you ask where to find the `openssl' program:
It's the same as your `ssleay' program. Read the paragraph in mod_ssl's
INSTALL file for details about this.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
