subject:"Re\: Does this CA process make sense\?"

Re: Does this CA process make sense?

2001-07-12 Thread Dan Langille


On 11 Jul 2001, at 9:51, Lutz Jaenicke wrote:

> On Tue, Jul 10, 2001 at 06:12:09PM -0400, Dan Langille wrote:
> ...
> > I imported iestuff.p12 into my MSIE browser and select that certificate 
> > when prompted by the browser.
> > 
> > I then used the following SSL related values in my SSL vhost:
> > 
> > SSLEngine   on
> > SSLCertificateFile  /home/dan/CA/demoCA/cacert.pem
> > SSLCertificateKeyFile   /home/dan/CA/demoCA/private/cakey.key
> > 
> > SSLCACertificatePath/home/dan/CA/demoCA/
> > SSLCACertificateFile/home/dan/CA/demoCA/cacert.pem
> > 
> > 
> > SSLVerifyClient require
> > SSLVerifyDepth  1
> > 
> > 
> > Note that I'm using the CA certificate and key for the SSL and the 
> > SSLCA information.  Does that make sense?  I tried this:
> > 
> > SSLCACertificatePath/home/dan/CA/
> > SSLCACertificateFile/home/dan/CA/newcert.pem
> > 
> > But if I use that combination, my browser certificate is not listed in the 
> > "Client Authentication" dialog box presented by the browser when I go 
> > to /securelocation.
> > 
> > Why?  What have I misunderstood?
> 
> You should use three distinct certificates (and corresponding private keys):
> * The CA certificate. You already have one, use it with SSLCACertificateFile

SSLCACertificatePath/home/dan/CA/demoCA/
SSLCACertificateFile/home/dan/CA/demoCA/cacert.pem

> * The server's certificate. You don't have one by now. Create a new one
>   signed from your CA. Issue it for CommonName (CN) being the FQDN
>   (fully qualified domain name) of your server: Use it with
>   mv newkey.pem server_key.pem
>   mv newcert.pem server_cert.pem
>   SSLCertificateFile /path/to/server_cert.pem
>   SSLCertificateKeyFile /path/to/server_key.pem

SSLCertificateFile  /home/dan/CA/server_cert.pem
SSLCertificateKeyFile   /home/dan/CA/server_key.pem

> * The client key. You already put it into iestuff.p12...

Done.  Thank you.  That's working fine now.  I see what I was doing 
wrong.  I was swapping the server and CA certificates.  That's why the 
browser did not list any certificates when I visited the secure area of the 
site.

cheers

-- 
Dan Langille
pgpkey - finger [EMAIL PROTECTED] | http://unixathome.org/finger.php
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Does this CA process make sense?

2001-07-11 Thread Lutz Jaenicke


On Tue, Jul 10, 2001 at 06:12:09PM -0400, Dan Langille wrote:
...
> I imported iestuff.p12 into my MSIE browser and select that certificate 
> when prompted by the browser.
> 
> I then used the following SSL related values in my SSL vhost:
> 
> SSLEngine   on
> SSLCertificateFile  /home/dan/CA/demoCA/cacert.pem
> SSLCertificateKeyFile   /home/dan/CA/demoCA/private/cakey.key
> 
> SSLCACertificatePath/home/dan/CA/demoCA/
> SSLCACertificateFile/home/dan/CA/demoCA/cacert.pem
> 
> 
> SSLVerifyClient require
> SSLVerifyDepth  1
> 
> 
> Note that I'm using the CA certificate and key for the SSL and the 
> SSLCA information.  Does that make sense?  I tried this:
> 
> SSLCACertificatePath/home/dan/CA/
> SSLCACertificateFile/home/dan/CA/newcert.pem
> 
> But if I use that combination, my browser certificate is not listed in the 
> "Client Authentication" dialog box presented by the browser when I go 
> to /securelocation.
> 
> Why?  What have I misunderstood?

You should use three distinct certificates (and corresponding private keys):
* The CA certificate. You already have one, use it with SSLCACertificateFile
* The server's certificate. You don't have one by now. Create a new one
  signed from your CA. Issue it for CommonName (CN) being the FQDN
  (fully qualified domain name) of your server: Use it with
  mv newkey.pem server_key.pem
  mv newcert.pem server_cert.pem
  SSLCertificateFile /path/to/server_cert.pem
  SSLCertificateKeyFile /path/to/server_key.pem
* The client key. You already put it into iestuff.p12...

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Does this CA process make sense?

Re: Does this CA process make sense?

2 matches

Site Navigation

Mail list logo

Footer information