[ale] client certs for apache

Thomas Wood thomaswood at mac.com
Wed Mar 3 08:00:20 EST 2004 

man apachectl.  Just kidding; I hate that smartass answer.  Your issue 
sounds alot like something I was working on but with more http boxes.  
My plan was to setup a CA to create and sign all of my certs.  I think 
this would work well for you too since It gives you absolute control 
over all variables in testing.

As for the lack of cookbook, I think this is one of those solutions 
where you're going to be putting together a bunch of different 
established elements and rolling the dice.  There are quite a few faqs, 
docs and tips on self-signing, creating certs and setting up your own 
CA.  Between those, the theory and the httpd.conf comments, the answer 
is there if you're willing to extrapolate it.  Test, test, test.  Once 
you have a workable solution, get your favorite sniffer involved and 
see what the traffic looks like compared to a plane jane 
1server/1client.

And of course, the obligatory: once you get something working, post 
your docs!

Hopefully, one of the other alers can provide more direct support.
wood
On Mar 2, 2004, at 11:53 PM, James P. Kinney III wrote:

> On Tue, 2004-03-02 at 23:19, Thomas Wood wrote:
>> Just to clarify: are you trying to install 4 certs on 4 servers or 1
>> cert on 4 servers and fool the connecting client into thinking
>> https://server1 = https://server2.  Or am I totally misinterpreting
>> your intent?
>
> It is confusing.
>
> I trying to install 4 certs on 4 servers and have a single client
> authentication cert that is recognized by all four servers.
>
> Installing certs on servers is easy. The clients are the hard part as
> they are all over the country. Thats the reason for the single cert to
> be installed on the clients (there are hundreds, I think)
>
> Right now, the line:
>
> Require ClientAuthorization
>
> is commented out in apache configs. (It may be worded a bit 
> differently.
> It's late And I'm too tired to open a connection). But is effectively
> prevents just any ol' browser from activating a https:// page unless 
> the
> browser has a authorization cert recognized by the server.
>
>
>> wood
>> On Mar 2, 2004, at 6:31 PM, James P. Kinney III wrote:
>>
>>> I am stumped on how to properly do the following:
>>>
>>> 4 different web servers each with a ssl cert. 1 client cert that is
>>> accepted by each server as valid to access the ssl areas of the web
>>> sites hosted on each one.
>>>
>>> One server/one client cert is easy. Do some ssl foo to make a server
>>> cert and a client cert and sign the client cert with the server cert.
>>> Park server cert securely and tell httpd.conf where it is. Import
>>> client
>>> cert into browsers.
>>>
>>> Do I need to set one machine as a CA, generate all certs for each
>>> server
>>> on each individual machine, then sign each server cert by the CA 
>>> cert?
>>> Then make a client cert from the CA cert?
>>>
>>> Too many really vague theory docs, not enough cookbook on this topic.
>>>
>>> Any ideas?
>>>
>>> -- 
>>> James P. Kinney III          \Changing the mobile computing world/
>>> CEO & Director of Engineering \          one Linux user         /
>>> Local Net Solutions,LLC        \           at a time.          /
>>> 770-493-8244                    \.___________________________./
>>> http://www.localnetsolutions.com
>>>
>>> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
>>> <jkinney at localnetsolutions.com>
>>> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://www.ale.org/mailman/listinfo/ale
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://www.ale.org/mailman/listinfo/ale
> -- 
> James P. Kinney III          \Changing the mobile computing world/
> CEO & Director of Engineering \          one Linux user         /
> Local Net Solutions,LLC        \           at a time.          /
> 770-493-8244                    \.___________________________./
> http://www.localnetsolutions.com
>
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list