[ale] client certs for apache

James P. Kinney III jkinney at localnetsolutions.com
Tue Mar 2 23:55:11 EST 2004


On Tue, 2004-03-02 at 23:19, Thomas Wood wrote:
> Just to clarify: are you trying to install 4 certs on 4 servers or 1 
> cert on 4 servers and fool the connecting client into thinking 
> https://server1 = https://server2.  Or am I totally misinterpreting 
> your intent?

It is confusing.

I trying to install 4 certs on 4 servers and have a single client
authentication cert that is recognized by all four servers.

Installing certs on servers is easy. The clients are the hard part as
they are all over the country. Thats the reason for the single cert to
be installed on the clients (there are hundreds, I think)

Right now, the line:

Require ClientAuthorization

is commented out in apache configs. (It may be worded a bit differently.
It's late And I'm too tired to open a connection). But is effectively
prevents just any ol' browser from activating a https:// page unless the
browser has a authorization cert recognized by the server.


> wood
> On Mar 2, 2004, at 6:31 PM, James P. Kinney III wrote:
> 
> > I am stumped on how to properly do the following:
> >
> > 4 different web servers each with a ssl cert. 1 client cert that is
> > accepted by each server as valid to access the ssl areas of the web
> > sites hosted on each one.
> >
> > One server/one client cert is easy. Do some ssl foo to make a server
> > cert and a client cert and sign the client cert with the server cert.
> > Park server cert securely and tell httpd.conf where it is. Import 
> > client
> > cert into browsers.
> >
> > Do I need to set one machine as a CA, generate all certs for each 
> > server
> > on each individual machine, then sign each server cert by the CA cert?
> > Then make a client cert from the CA cert?
> >
> > Too many really vague theory docs, not enough cookbook on this topic.
> >
> > Any ideas?
> >
> > -- 
> > James P. Kinney III          \Changing the mobile computing world/
> > CEO & Director of Engineering \          one Linux user         /
> > Local Net Solutions,LLC        \           at a time.          /
> > 770-493-8244                    \.___________________________./
> > http://www.localnetsolutions.com
> >
> > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > <jkinney at localnetsolutions.com>
> > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list