On Thu, Aug 21, 2003, Rohan Pinto wrote: > > I have a SunONE WebServer 6.0 running on a certain subnet. (www.abcd.com - > for this example) > The Webserver serves content over http. > I intend to protect this content via PDC authentication. To do so, I'd need > 2 things. > 1. A Server Cert > 2. A User Cert (on a smartcard) [assumption is that the user would be > prompted to insert his smartcard everytime he wishes to access the server. > i'd plug the usercert on the browser (custom app) and retain the public key > on the card. the browser would have a pointer to the card for the piublic > key] >
I think you mean retain the private key on the card: the public key will be in the user cert anyway... You'll also need a PKCS#11 module to do the private key SSL/TLS operations on the smart card (for Mozilla/Netscape) or a CSP (for MSIE). > > Then I launched my webserver admin console and added ca.cer as the > rootCAcert and server.cer as the cert for the server itself. > I then added a listen socket on the server listening on port 443. I also > enabled Client Authentication (for PDC authentication) > at this point even though i did not have a PDC i assumed that teh server > would simply deny access. > but the issue is that this method just didnt work. It could be that the browser is giving an uninformative error message. First try it without enabling client authentication on the server. If you can connect OK then the server cert is fine. Then try enabling client auth. If it stops working use s_client to check the list of CAs the server presents to see if the required client auth CA is present. If not then that's the problem: you need to add your client CA to the list of CAs the server sends out with client auth... Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
