On Tue, Jul 10, 2001 at 06:12:09PM -0400, Dan Langille wrote:
...
> I imported iestuff.p12 into my MSIE browser and select that certificate
> when prompted by the browser.
>
> I then used the following SSL related values in my SSL vhost:
>
> SSLEngine on
> SSLCertificateFile /home/dan/CA/demoCA/cacert.pem
> SSLCertificateKeyFile /home/dan/CA/demoCA/private/cakey.key
>
> SSLCACertificatePath /home/dan/CA/demoCA/
> SSLCACertificateFile /home/dan/CA/demoCA/cacert.pem
>
> <Location /securelocation>
> SSLVerifyClient require
> SSLVerifyDepth 1
> </Location>
>
> Note that I'm using the CA certificate and key for the SSL and the
> SSLCA information. Does that make sense? I tried this:
>
> SSLCACertificatePath /home/dan/CA/
> SSLCACertificateFile /home/dan/CA/newcert.pem
>
> But if I use that combination, my browser certificate is not listed in the
> "Client Authentication" dialog box presented by the browser when I go
> to /securelocation.
>
> Why? What have I misunderstood?
You should use three distinct certificates (and corresponding private keys):
* The CA certificate. You already have one, use it with SSLCACertificateFile
* The server's certificate. You don't have one by now. Create a new one
signed from your CA. Issue it for CommonName (CN) being the FQDN
(fully qualified domain name) of your server: Use it with
mv newkey.pem server_key.pem
mv newcert.pem server_cert.pem
SSLCertificateFile /path/to/server_cert.pem
SSLCertificateKeyFile /path/to/server_key.pem
* The client key. You already put it into iestuff.p12...
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]