[ale] client certs for apache

Matt Smith msmith at risklabs.com
Wed Mar 3 09:28:29 EST 2004


Client Authentication with certs is really separate (or probably should be) from the SSL cert providing secure communication with the server.

I haven't done this using Apache natively, but my F5 loadbalancing/SSL Proxy hardware does the same thing, so I'll explain how I set it up - I think it applies here.

Basically, you need to issue all of your client certs from one place (the CA)..   Then configure each of your servers to trust certs signed by your CA (rather than the SSL cert on the server).  The F5 gear has a CRT file in which you put the cert of whatever CA(s) you trust in it.. and it compares the client certs that are presented to it and if they match up then you're good.  I assume what I describe aligns at least somewhat with the Apache setup.


--Matt



-----Original Message-----
From: James P. Kinney III [mailto:jkinney at localnetsolutions.com]
Sent: Tuesday, March 02, 2004 6:32 PM
To: Atlanta "User Group (E-mail)
Subject: [ale] client certs for apache


I am stumped on how to properly do the following:

4 different web servers each with a ssl cert. 1 client cert that is
accepted by each server as valid to access the ssl areas of the web
sites hosted on each one.

One server/one client cert is easy. Do some ssl foo to make a server
cert and a client cert and sign the client cert with the server cert.
Park server cert securely and tell httpd.conf where it is. Import client
cert into browsers.

Do I need to set one machine as a CA, generate all certs for each server
on each individual machine, then sign each server cert by the CA cert?
Then make a client cert from the CA cert?

Too many really vague theory docs, not enough cookbook on this topic.

Any ideas?

-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7



More information about the Ale mailing list