Hi Mark, To answer your questions:
- You can create your own Certificate Authority (CA) with no links to any other certificate, institution,... A typical CA certificate is just that: a self-signed certificate (=signed with the private key matching the public key contained inside the certificate). - Client authentication is part of SSL. It is during the SSL hand-shake that the server will request the client certificate. So the short answer would be: NO you can not implement this without SSL. - The CA the server requires for the client certificates can be completely unrelated to the server certificate. So I think your ideal solution would be to have a standard (i.e. Verisign) server certificate, but your own client certificates with their own CA (the one you created yourself). To implement this, your keystoreFile (containing the server and matching CA certificate) will be different from your truststoreFile (containing the client CA certificate). If you go with the really cheap option to create the server certificate yourself as well, you will indeed have the issue mentioned below. But do know that this CA certificate is typically automatically added in the browser store during the generation of the client certificate. Meaning that if 100% of your clients will be accessing this server with a client certificate this is not an issue. Have a look at EJBCA (Enterprise Java Beans Certificate Authority http://ejbca.sourceforge.net/) for the certificate management part. Distributing certificates, and more important the matching private keys, is not an easy thing to do with the OpenSSL command-line tools. Regards, Johan -----Original Message----- From: Tim Diggins [mailto:[EMAIL PROTECTED] Sent: maandag 23 mei 2005 12:24 To: Tomcat Users List Subject: Re: Client Authentication certificates Hi Mark - I saw it, and... don't know the answers for the second two (don't fully understand the questions) , but yes, you can create your own Certificate Authority, no problem -- however your clients will each then either have to click-through various warning dialogues each time, or they will have to add the root certificate to their list of trusted certificate authorities. How exactly to do this various from browser to browser (and OS to OS sometimes)... --Tim Mark Benussi wrote: > Morning all.. > > > > I have a web app and for certain areas of the site I wish to restrict access > to a Client Authentication certificate. I want to generate a root > Certificate for my company domain and then sub domains for a variety of > customers. Then I wish to be able to generate certificates for certain users > within these sub domains. > > > > My questions are: > > > > Can I build a root certificate that is not signed by someone like Verisign > or any other trusted root? (This is a cost issue). > > Can I implement the Client Authentication on a server which does not have > SSL implemented? > > Can I implement the Client Authentication on a server which already has an > SSL certificate, signed by someone like Verisign and effectively run both? > > > > Would appreciate your thoughts and also any pointers on where to start > digging. > > > > TIA Mark > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
