Gayathri Sundar wrote: > you can put CA2 as part of the revocation list? > if CA2 is part of the client's CRL, then it will automatically > be rejected..is this what you want?
Nothing about revocation, both CAs are valid and should stay valid. I do have a User CA 1 for one type of service (or one group of users) and a User CA 2 for another kind of service. Both are under the same root CA. When I setup Apache/Mod_SSL I am not able to specify, that the Server should only request client certificates from User CA 1. It will always put the root certificate in the TLS certificate request and so the client assumes that it is ok to send a certificate from User CA 2... The only way to cope with this with Mozilla is to setup "manual choice" for the certificate (so whenever e certificate is necessary, the browser asks you, which is very often and annoying). So I am looking for a way to configure what the server sends in his client certificate request... (Anyone who knows better how the words in the RFC are meant, speak up now! :-)) Of course, thanks for your help, Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]