* R. Markham wrote: > I don't understand why is a root CA which everybody can download from the > internet is more secure than if I use my own CA. I want to make it clear I > am not against using Certificates from an official CA. But in some cases you > can save your money as a expenses for the certificate if you use your self > signed certificate. If you want that only authenticated user can have > access, than you can use SSLVerifyClient in Apache.
I made the same mistake as this. Assuming that an authenticated client is authorised. This gave me a headache since I couldn't work out why it's secure since anyone could obtain a signed client certificate from a root CA and if that root CA is in the list of CA's on my webserver they can get access. However now I understand it. The root CA doesn't grant a certificate saying "this person is allowed access to your website" but "this person is WHO THEY SAY THEY ARE". This means it's still up to you to decide what they should be allowed to access (their authorization). You've just used a different way of identifying them.. a certificate instead of a username & password. SSLCheckClientDN and SSLFakeBasicAuth allow for authenticated access in Apache NOT SSLVerifyClient. SSLVerifyClient just makes sure they have a valid client certificate. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]