On Wed, Mar 08, 2006, Peter Sylvester wrote: > Dr. Stephen Henson wrote: > >On Wed, Mar 08, 2006, Peter Sylvester wrote: > > > > > >>Another easy way is to use self signed certs of the acceptable CAs. > >> > >> > > > >I'm not sure that would work because the path building algorithm first > >tries to > >construct as much of the path as possible from the set of unstrusted CAs > >with > >the exception of the root. > > > But the self signed certs of the CAs are the roots in this case, aren't > they. > > We are talking about how to configure an, Apache mod_ssl for client certs? > The so called "root" in the example would not even be visible. > As far as I understood, the real CA hierarchy was > > Root CA > |-> User CA 1 -> User Certificate 1 > |-> User CA 2 -> User Certificate 2 > > I want to tell a webserver to accept certificates > from User CA 1 but not from User CA 2 > > > > All what has to be set in mod_ssl or in s_server is a self signed cert > of CA 1 > > Unless one also want to allow certs for the root. So you set the root > and the self signed cert for CA 1. > In this case a client could indeed send an CA 2 cert together with the > CA 2 intermediate. > > But in this case the verifydepth would work I think. >
Yes but the client will still send the user certificate, one intermediate CA and optionally the root CA. OpenSSL will use those to build as much of the path as possible and try to complete it using the trusted store. When it can't find the root CA in that store it will fail. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
