SSL - can you insite on having certificate?

If you connect to an SSL secure site that does not have a certificate
from one of the big CAs, or the certificate has expired, you get asked
if you will accept the certificate or not.

I implemented an SSL site at

https://www.3gshare.info/

which is for private use, so such messages are not an issue.

However, is it possible to configure the site such that unless you have
already have a certificate on your machine, you are unable to connect?
i.e the user has no choice to accept it or not - they either have it, or
they can't connect?

I don't think this is possible, but if it is, please let me know how.
The server runs Apache 2.x.


--
Dave K

http://www.southminster-branch-line.org.uk/

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually. The month is
always written in 3 letters (e.g. Jan, not January etc)

In article <43c27768@212.67.96.135>, Dave
<INVALID-see-signature-for-how-to-determine@southminster-branch-line.org.uk>
wrote:

> If you connect to an SSL secure site that does not have a
> certificate from one of the big CAs, or the certificate has
> expired, you get asked if you will accept the certificate or not.
>
> I implemented an SSL site at
>
> https://www.3gshare.info/
>
> which is for private use, so such messages are not an issue.
>
> However, is it possible to configure the site such that unless you
> have already have a certificate on your machine, you are unable to
> connect? i.e the user has no choice to accept it or not - they
> either have it, or they can't connect?
>
> I don't think this is possible, but if it is, please let me know
> how. The server runs Apache 2.x.

Could you use the mod_ssl "SSLRequireSSL" and "SSLVerifyClient
require" directives together with SSL/TLS client certificates you
generate, sign & issue? I haven't tried this myself, but
<http://httpd.apache.org/docs/2.0/mod/mod_ssl.html> might be a good
place to start.

--
Rob Skedgell <rob+news@nephelococcygia.demon.co.uk>
From: address is a spamtrap, Reply-To: is valid.
GnuPG/PGP: 7DA3 1579 C0DD 8748 C05A B984 E2A2 3234 D14B 6DD7

Davide Bianchi wrote:
> On 2006-01-09, Dave <INVALID-see-signature-for-how-to-determine@southminster-branch-line.org.uk> wrote:
>
>>However, is it possible to configure the site such that unless you have
>>already have a certificate on your machine, you are unable to connect?
>
>
> Yes, by requiring the client to authenticate with a certificate.
> See http://httpd.apache.org/docs/2.0/ssl...tml#allclients
>
> Davide
>
Thanks Davide.

that looks just what I want.

Have you any idea how one loads the certificates into a browser? I'm not
in a position to take that site down to test this, but I will set up a
test SSL site at some point.

Would the broswer ask for a location of the certificate, or does it
expect it to be isntalled? I realise this is a broswer specific issue,
but I can't find any obvious way of adding the certificate in Mozilla
1.4. Perhaps one can manually add it to a directory somewhere. Not too
hard if you are computer literate, but perhaps not idea of noormal usage.

I'd like to put the certificate on a USB key, and users have to install
it from that. The main OS would be Winblows and Internot Expliter.

--
Dave K

http://www.southminster-branch-line.org.uk/

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually. The month is
always written in 3 letters (e.g. Jan, not January etc)