ssl client cert setup/generate question

This is a discussion on ssl client cert setup/generate question within the Linux Web Servers forums, part of the Web Server and Related Forums category; I have a site with an SSL cert from verisign, running Apache 2.2, mod_ssl on ubuntu. I need to ...


Go Back   Usenet Forums > Web Server and Related Forums > Linux Web Servers

Reload this Page ssl client cert setup/generate question

FAQ Members List Calendar Search Today's Posts Mark Forums Read

 

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 08-23-2007
uncle
 
Posts: n/a
Default ssl client cert setup/generate question
I have a site with an SSL cert from verisign, running Apache 2.2,
mod_ssl on ubuntu.

I need to add the ability for some users to require a client cert.

I have found:
SSLVerifyClient optional

How do I go about generating client certs for my users ?

-- Thanks !
  #2 (permalink)  
Old 08-24-2007
ohaya
 
Posts: n/a
Default Re: ssl client cert setup/generate question
uncle wrote:
> I have a site with an SSL cert from verisign, running Apache 2.2,
> mod_ssl on ubuntu.
>
> I need to add the ability for some users to require a client cert.
>
> I have found:
> SSLVerifyClient optional
>
> How do I go about generating client certs for my users ?
>
> -- Thanks !
>


They (users) would have to either get their client certs from a CA, like
Verisign, or you'd have to issue themselves using some kind of CA
software (e.g., MS Certificate Server on Win2K/2K3 Server, etc.).

If the client certs get issued by a 3rd party CA or by your own, you'll
need to include the CA's certicates (e.g., root+subroot) in your Apache
SSL configuration so that Apache "trusts" those certs.

Jim
  #3 (permalink)  
Old 08-24-2007
Paul Rubin
 
Posts: n/a
Default Re: ssl client cert setup/generate question
uncle <aktxyz@gmail.com> writes:
> How do I go about generating client certs for my users ?

You have to either run your own CA or use someone else's. Running a
serious one takes an enormous amount of effort. If you want to run a
casual one, there are some shell scripts included with OpenSSL or you
could use something like PyCA (www.pyca.de). For security you might
run it on a laptop that you keep locked in a safe when not in use
(transfer CSR's and certs to and from it on physical media such as USB
keys--don't ever connect it to any type of network), preferably with
the signing root on a secure device like a smart card.

If you want to run a serious CA, talk to Entrust, Xcert(?), etc. and
be ready to pay a lot. I don't recommend doing this unless you're a
quite large organization with fairly high volume requirements.

If you want a remotely managed one, Verisign has a nice product that
is (or was) horribly overpriced. I think some other companies have
comparable stuff that might be cheaper but I haven't paid attention to
this field in a while. This is probably the best approach for a small
or medium sized organization that needs moderate quantities of
non-bogus certificates on an ongoing basis and doesn't want the hassle
of operating a real CA.
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 08:08 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0