|
Home > Archive > Web Servers on Unix and Linux > August 2007 > ssl client cert setup/generate question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
ssl client cert setup/generate question
|
|
|
| I have a site with an SSL cert from verisign, running Apache 2.2,
mod_ssl on ubuntu.
I need to add the ability for some users to require a client cert.
I have found:
SSLVerifyClient optional
How do I go about generating client certs for my users ?
-- Thanks !
| |
|
| uncle wrote:
> I have a site with an SSL cert from verisign, running Apache 2.2,
> mod_ssl on ubuntu.
>
> I need to add the ability for some users to require a client cert.
>
> I have found:
> SSLVerifyClient optional
>
> How do I go about generating client certs for my users ?
>
> -- Thanks !
>
They (users) would have to either get their client certs from a CA, like
Verisign, or you'd have to issue themselves using some kind of CA
software (e.g., MS Certificate Server on Win2K/2K3 Server, etc.).
If the client certs get issued by a 3rd party CA or by your own, you'll
need to include the CA's certicates (e.g., root+subroot) in your Apache
SSL configuration so that Apache "trusts" those certs.
Jim
| |
| Paul Rubin 2007-08-24, 1:17 am |
| uncle <aktxyz@gmail.com> writes:
> How do I go about generating client certs for my users ?
You have to either run your own CA or use someone else's. Running a
serious one takes an enormous amount of effort. If you want to run a
casual one, there are some shell scripts included with OpenSSL or you
could use something like PyCA (www.pyca.de). For security you might
run it on a laptop that you keep locked in a safe when not in use
(transfer CSR's and certs to and from it on physical media such as USB
keys--don't ever connect it to any type of network), preferably with
the signing root on a secure device like a smart card.
If you want to run a serious CA, talk to Entrust, Xcert(?), etc. and
be ready to pay a lot. I don't recommend doing this unless you're a
quite large organization with fairly high volume requirements.
If you want a remotely managed one, Verisign has a nice product that
is (or was) horribly overpriced. I think some other companies have
comparable stuff that might be cheaper but I haven't paid attention to
this field in a while. This is probably the best approach for a small
or medium sized organization that needs moderate quantities of
non-bogus certificates on an ongoing basis and doesn't want the hassle
of operating a real CA.
|
|
|
|
|