you can put CA2 as part of the revocation list? if CA2 is part of the client's CRL, then it will automatically be rejected..is this what you want?
Thanks --G3 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Olaf Gellert Sent: Tuesday, March 07, 2006 5:26 PM To: openssl-users@openssl.org Subject: Choice of CAs in SSL/TLS handshake Hi, I came across the following problem: I do have two user CAs under the same root CA: Root CA |-> User CA 1 -> User Certificate 1 |-> User CA 2 -> User Certificate 2 I want to tell a webserver to accept certificates from User CA 1 but not from User CA 2. But: In openssl s_server AND in mod_ssl I can only specify a list (as file or directory) of trusted CAs. These are used for two purposes: a) the server puts all of them in his certificate_request message during SSL connection establishment. b) they have to contain the root certificate as trust anchor. What I need is a way to specify the requested client CAs WITHOUT the root certificate. Otherwise clients (Mozilla/Firefox) think that both CAs are accepted (because the root certificate is in the certificate request message). Any way to do this? Is this just a missing feature or do I read the RFC wrong? This is what RFC 2246 says about the request message (sec. 7.4.4): certificate_authorities A list of the distinguished names of acceptable certificate authorities. These distinguished names may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used both to describe known roots and a desired authorization space. So it should be possible to provide only the certificate of User CA 1? (but then openssl s_server and mod_ssl do not find a valid root certificate.) Thanks for any help, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]