[ale] client certs for apache
Thomas Wood
thomaswood at mac.com
Wed Mar 3 08:00:20 EST 2004
man apachectl. Just kidding; I hate that smartass answer. Your issue
sounds alot like something I was working on but with more http boxes.
My plan was to setup a CA to create and sign all of my certs. I think
this would work well for you too since It gives you absolute control
over all variables in testing.
As for the lack of cookbook, I think this is one of those solutions
where you're going to be putting together a bunch of different
established elements and rolling the dice. There are quite a few faqs,
docs and tips on self-signing, creating certs and setting up your own
CA. Between those, the theory and the httpd.conf comments, the answer
is there if you're willing to extrapolate it. Test, test, test. Once
you have a workable solution, get your favorite sniffer involved and
see what the traffic looks like compared to a plane jane
1server/1client.
And of course, the obligatory: once you get something working, post
your docs!
Hopefully, one of the other alers can provide more direct support.
wood
On Mar 2, 2004, at 11:53 PM, James P. Kinney III wrote:
> On Tue, 2004-03-02 at 23:19, Thomas Wood wrote:
>> Just to clarify: are you trying to install 4 certs on 4 servers or 1
>> cert on 4 servers and fool the connecting client into thinking
>> https://server1 = https://server2. Or am I totally misinterpreting
>> your intent?
>
> It is confusing.
>
> I trying to install 4 certs on 4 servers and have a single client
> authentication cert that is recognized by all four servers.
>
> Installing certs on servers is easy. The clients are the hard part as
> they are all over the country. Thats the reason for the single cert to
> be installed on the clients (there are hundreds, I think)
>
> Right now, the line:
>
> Require ClientAuthorization
>
> is commented out in apache configs. (It may be worded a bit
> differently.
> It's late And I'm too tired to open a connection). But is effectively
> prevents just any ol' browser from activating a https:// page unless
> the
> browser has a authorization cert recognized by the server.
>
>
>> wood
>> On Mar 2, 2004, at 6:31 PM, James P. Kinney III wrote:
>>
>>> I am stumped on how to properly do the following:
>>>
>>> 4 different web servers each with a ssl cert. 1 client cert that is
>>> accepted by each server as valid to access the ssl areas of the web
>>> sites hosted on each one.
>>>
>>> One server/one client cert is easy. Do some ssl foo to make a server
>>> cert and a client cert and sign the client cert with the server cert.
>>> Park server cert securely and tell httpd.conf where it is. Import
>>> client
>>> cert into browsers.
>>>
>>> Do I need to set one machine as a CA, generate all certs for each
>>> server
>>> on each individual machine, then sign each server cert by the CA
>>> cert?
>>> Then make a client cert from the CA cert?
>>>
>>> Too many really vague theory docs, not enough cookbook on this topic.
>>>
>>> Any ideas?
>>>
>>> --
>>> James P. Kinney III \Changing the mobile computing world/
>>> CEO & Director of Engineering \ one Linux user /
>>> Local Net Solutions,LLC \ at a time. /
>>> 770-493-8244 \.___________________________./
>>> http://www.localnetsolutions.com
>>>
>>> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
>>> <jkinney at localnetsolutions.com>
>>> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://www.ale.org/mailman/listinfo/ale
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://www.ale.org/mailman/listinfo/ale
> --
> James P. Kinney III \Changing the mobile computing world/
> CEO & Director of Engineering \ one Linux user /
> Local Net Solutions,LLC \ at a time. /
> 770-493-8244 \.___________________________./
> http://www.localnetsolutions.com
>
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list