On Thu, Jan 27, 2005, Daniel Manley wrote: > is that all it takes to makes sure we've got the right userA? If we > create our own CA and dish out certs for our server, then we just have > to make sure the cert they have was issed by our CA. Can you configure > openssl to only permit connections based on our CA? so then from there > we can trust the subject and issuer name and serial number. >
Yes you can do that: just make sure your CA certificate is the only one in the list of trusted CAs. How you do that depends on the server software in use. There are other ways of getting a "unique identifier". For example the hash of the whole certificate using X509_digest(). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
