Gayathri Sundar wrote:
> you can put CA2 as part of the revocation list?
> if CA2 is part of the client's CRL, then it will automatically
> be rejected..is this what you want?
Nothing about revocation, both CAs are valid
and should stay valid. I do have a User CA 1
for one type of service (or one group of users)
and a User CA 2 for another kind of service.
Both are under the same root CA.
When I setup Apache/Mod_SSL I am not able to
specify, that the Server should only request
client certificates from User CA 1. It will
always put the root certificate in the TLS
certificate request and so the client assumes
that it is ok to send a certificate from User
CA 2...
The only way to cope with this with Mozilla is
to setup "manual choice" for the certificate
(so whenever e certificate is necessary, the
browser asks you, which is very often and
annoying).
So I am looking for a way to configure what
the server sends in his client certificate
request... (Anyone who knows better how the
words in the RFC are meant, speak up now! :-))
Of course, thanks for your help,
Cheers, Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
