yes you are right about client certificate verification with CA. i am not sure about OCSP verification.
On Sun, Aug 23, 2015 at 1:21 PM, Sterpu Victor <vic...@caido.ro> wrote: > I'm not sure I got this right, this is what I was thinking: > - client sends his certificate, with the public key included; the > certificate contains a signature of the client certificate made with the > private key of the CA; > - apache server has the public key of the CA and can check the signature > of the CA > Is this right? > > Does this check includes OCSP verification? If not can this be done from > apache? > > Thank you. > > ------ Original Message ------ > From: "Mohanavelu Subramanian" <mhnv...@gmail.com> > To: users@httpd.apache.org; "Sterpu Victor" <vic...@caido.ro> > Sent: 8/23/2015 10:19:13 AM > Subject: Re: [users@httpd] SSL - How client certificates are verified? > > > Hi, > > With the option "SSLVerifyClient require" , server mandates the client to > send its certificate for authentication. Then the server verifies this > client certificate against the CA certificate file configured in apache. If > the client certificate has been signed by a valid CA, then the > authentication is successful. > > There are cases where sub CA certificate can be generated from root > certificate. So, this will end up in a hierarchy of CA certificates. The > final sub CA certificate would be used to sign client certificate. With > option "SSLVerifyDepth 10", the server will verify the client certificate > to the level of 10, meaning it will verify from 0 to up the hierarchy 10. > Maximum depth of CA Certificates in Client Certificate verification > > When the client sends its fake certificate(not signed by the CA) , the > authentication will fail at server. > > Regards, > Mohan > > On Sun, Aug 23, 2015 at 12:21 PM, Sterpu Victor <vic...@caido.ro> wrote: > >> Hello >> >> I have a web page that asks for client certificate. >> These are the options for this: >> >> SSLVerifyClient require >> SSLVerifyDepth 10 >> >> How does SSLVerifyClient verifies the client certificate? >> This option protects against certificates manual made with a fake >> public-private key pair? >> So can someoane make a certificate identical with the original, attach >> another set of public and private keys and pretend to be someoane else? >> >> Thank you >> > > > ------------------------------ > [image: Avast logo] <https://www.avast.com/antivirus> > > This email has been checked for viruses by Avast antivirus software. > www.avast.com <https://www.avast.com/antivirus> > > > > *DISCLAIMER: Acest mesaj de posta electronica si documentele aferente sunt > confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt mod > de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, este > interzis sa actionati in baza acestor informatii. Citirea, copierea, > distribuirea, dezvaluirea sau utilizarea in alt mod a informatiei continute > in acest mesaj constituie o incalcare a legii. Daca ati primit mesajul din > greseala, va rugam sa il distrugeti, anuntand expeditorul de eroarea > comisa. Intrucat nu poate fi garantat faptul ca posta electronica este un > mod sigur si lipsit de erori de transmitere a informatiilor, este > responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv documentele > alaturate lui) este validat si autorizat spre a fi utilizat in mediul dvs.* > >