Alexandre Arantes wrote:
one of them asked me why did I choose not to add the client hostname to the Client Certificate, thus making it usable only by that specific client.
There are no standardized naming rules for client certs like the TLS server hostname check implemented at the client side.
You have to define and implement your own naming/mapping rules at the server side.
And so I started searching online for ways to do it, but found nothing.
No wonder because there's no standard way. Several possibilites for client cert "names": - subject DN - issuer-DN + serial no. - cert fingerprint - Any naming convention stuffed into subjectAltName extension Some inspiration in various server software: FakeBasicAuth in Apache's mod_ssl: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions Certificate Mappers in OpenDJ: http://docs.forgerock.org/en/opendj/2.6.0/configref/certificate-mapper.html Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
