Dr. Stephen Henson wrote:
But the self signed certs of the CAs are the roots in this case, aren't they.On Wed, Mar 08, 2006, Peter Sylvester wrote:Another easy way is to use self signed certs of the acceptable CAs.I'm not sure that would work because the path building algorithm first tries to construct as much of the path as possible from the set of unstrusted CAs with the exception of the root.
We are talking about how to configure an, Apache mod_ssl for client certs? The so called "root" in the example would not even be visible. As far as I understood, the real CA hierarchy was Root CA |-> User CA 1 -> User Certificate 1 |-> User CA 2 -> User Certificate 2 I want to tell a webserver to accept certificates from User CA 1 but not from User CA 2All what has to be set in mod_ssl or in s_server is a self signed cert of CA 1
Unless one also want to allow certs for the root. So you set the root and the self signed cert for CA 1. In this case a client could indeed send an CA 2 cert together with the CA 2 intermediate. But in this case the verifydepth would work I think.
Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
--To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
smime.p7s
Description: S/MIME Cryptographic Signature
