Can i use CA signed cert to create client authentication certificates ?
Can i use CA signed cert to create client authentication certificates ?
am 22.09.2008 20:54:37 von Jan Stian Gabrielli
SSBhbSB0cnlpbmcgdG8gc2V0IHVwIGFwYWNoZSB3aXRoIG1vZF9zc2wgLCBh bmQgSSBoYXZlIGl0
IHdvcmtpbmcgd2l0aCBhDQpTZWxmIFNpZ25lZCBDQS4NCkJ1dCBpIGNhbiBu b3QgZ2V0IGl0IHRv
IHdvcmsgd2l0aCBhIGNlcnQgY3JlYXRlZCBieSB0aGF3dGUuY29tLg0KDQpE b2VzIGFueW9uZSBr
bm93IGlmIGl0IGlzIHBvc3NpYmxlIHRvIGRvIHRoaXMgd2l0aCBhIGNydCBz aWduZWQgYnkgYSAi
dGhpcmQiDQpwYXJ0eSB3aGVyZSBvbmUgZG9lcyBub3QgaGF2ZSBhY2Nlc3Mg dG8gdGhlaXIgcm9v
dCBjYSBrZXkgPy4NCg0KSWUuDQoNCkkgaGF2ZSBnZW5lcmF0ZWQgYSA6IGFw YWNoZV9zZXJ2ZXIu
a2V5IG1hZGUgYSBhcGFjaGVfc2VydmVyLmNzciBhbmQgc2VudA0KdGhpcyBm b3Igc2lnbmluZyBi
eSB0aGF3dGUuY29tDQpSZWNpdmVkIGEgYXBhY2hlX3NlcnZlci5jcnQNCg0K Q3JlYXRlZCBhIGNs
aWVudC5rZXkgYW5kIGEgY2xpZW50LmNzcg0KU2lnbmVkIGl0IHdpdGggbXkg YXBhY2hlX3NlcnZl
ci5rZXkgYW5kIGFwYWNoZV9zZXJ2ZXIuY3J0DQoNCkNvbnZlcnRlZCB0aGUg Y2xpZW50LmtleSxj
cnQgdG8gYSBwa2NzMTIgZmlsZSBhbmQgaW1wb3J0ZWQgdGhpcyBpbnRvIG15 DQpicm93c2VyIGJ1
dCBpIGNhbiBub3QgbWFrZSB0aGluZ3Mgd29yay4NCg0KU1NMIHdvcmtzIGZp bmUgb24gdGhlIHNl
cnZlciBvbiBwYWdlcyB0aGF0IGRvZXMgbm90IHJlcXVpcmUgU1NMIGNsaWVu dCBhdXRoLg0KDQpB
IEkgc3RhdGVkIGVhcmxpZXIsIElUIHdvcmtzIHdoZW4gSSBjcmVhdGUgYW5k IHNlbGYgc2lnbiBh
IENBLCBidXQgSSBjYW50DQptYWtlIGl0IHdvcmsgd2hlbiBJIHVzZSBhIDNy ZCBwYXJ0eSBDQSBh
bmQgb25seSBoYXZlIGFwYWNoZV9zZXJ2ZXIua2V5LA0KYXBhY2hlX3NlcnZl ci5jcnQgLCB0aGF3
dGUgcm9vdCBjZXJ0Lg0KDQpCZXN0IHJlZ2FyZHMNCg0KV2l6a2lkbm9ubw0K
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: Can i use CA signed cert to create client authentication certificates ?
am 22.09.2008 22:19:05 von Matt Stevenson
Sounds like your trying to use the thawte apache cert to sign your client c=
erts? The thawte cert won't have the right attributes to sign a client cert=
and then try to use it.
You could use your CA for client certs and Th=
awte for the server cert.
Regards=0AMatt
----- Original Mes=
sage ----=0AFrom: Jan Stian Gabrielli =0ATo: modssl-u=
sers@modssl.org=0ASent: Monday, September 22, 2008 7:54:37 PM=0ASubject: Ca=
n i use CA signed cert to create client authentication certificates ?
=
I am trying to set up apache with mod_ssl , and I have it working with a=0A=
Self Signed CA.=0ABut i can not get it to work with a cert created by thawt=
e.com.
Does anyone know if it is possible to do this with a crt signed=
by a "third"=0Aparty where one does not have access to their root ca key ?=
..
Ie.
I have generated a : apache_server.key made a apache_server=
..csr and sent=0Athis for signing by thawte.com=0ARecived a apache_server.cr=
t
Created a client.key and a client.csr=0ASigned it with my apache_ser=
ver.key and apache_server.crt
Converted the client.key,crt to a pkcs12=
file and imported this into my=0Abrowser but i can not make things work.=
SSL works fine on the server on pages that does not require SSL clien=
t auth.
A I stated earlier, IT works when I create and self sign a CA,=
but I cant=0Amake it work when I use a 3rd party CA and only have apache_s=
erver.key,=0Aapache_server.crt , thawte root cert.
Best regards
W=
izkidnono
âÅâ¦Ã=A2'µê=C3=9 Fià=
ê^ï¿=BD$â¹Å¡â¡l²\0Ãj=C2 ²Ã=89h=C2=
=AE,z´®¦š+´Ã¢â=93)=C 3=A0.+-Å¡=
â=A1l²[¬z»&¡Ã,âÅ=A0= C3 Ã=ABh=E2=
¢Â«^t¸¬´Ã§j«â=A2 ¨è=C2=
Ã=9A&¢j²Ãh®
=0A
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: Can i use CA signed cert to create client authentication certificates ?
am 23.09.2008 14:39:16 von Jan Stian Gabrielli
T2suIFRoaXMgc2VlbXMgbGlrZSBhIHZpYWJsZSBzb2x1dGlvbi4NCkllLg0K SSB1c2UgYW4gYXBw
cm92ZWQgQ0Egc2lnbmVkIGNlcnQgdG8gdmVyaWZ5IHRoZSBzaXRlIGF1aHRl bnRpc2l0eSwgYW5k
IGkgdXNlIGEgc2VsZnNpZ25lZCBDQSByb290IGZvciBjbGllbnQgY2VydGlm aWNhdGVzLg0KDQpD
YW4geW91IHBvaW50IG1lIGluIGEgZGlyZWN0aW9uIG9mIGhvdyBpIG1ha2Ug dGhpcyB3b3JrIGlu
IGFwYWNoZSA/Lg0KSSBhbHJlYWR5IGhhdmUgYSBzZXR1cCB3aXRoIGEgU2Vs ZnNpZ25lZCBDQSB3
b3JraW5nIGZvciBjbGllbnQgY2VydGlmaWNhdGVzLg0KDQpDcmVhdGVlZCBT ZWxmU2lnbmVkQ0EN
CnwtLT5DcmVhdGUgYW5kIFNpZ24gQXBhY2hlIENlcnQgZnJvbSBTZWxmU2ln bmVkIENBDQp8LS0+
Q3JlYXRlIGFuZCBTaWduIENsaWVudCBDZXJ0IGZyb20gU2VsZlNpZ25lZCBD QQ0KDQpIb3cgZG8g
SSBpbmNvcnBvcmF0ZSB0aGlzIHdpdGggYSBDQSAodGhhd3RlKSBzaWduZWQg d2Vic2VydmVyIGNl
cnRpZmljYXRlID8uDQoNCkJlc3QgcmVnYXJkcw0KDQpXaXpraWRub25vDQoN Ck9yaWdpbmFsIE1l
c3NhZ2UgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NClNvdW5kcyBsaWtlIHlv dXIgdHJ5aW5nIHRv
IHVzZSB0aGUgdGhhd3RlIGFwYWNoZSBjZXJ0IHRvIHNpZ24geW91ciBjbGll bnQgY2VydHM/IFRo
ZSB0aGF3dGUgY2VydCB3b24ndCBoYXZlIHRoZSByaWdodCBhdHRyaWJ1dGVz IHRvIHNpZ24gYSBj
bGllbnQgY2VydCBhbmQgdGhlbiB0cnkgdG8gdXNlIGl0Lg0KDQpZb3UgY291 bGQgdXNlIHlvdXIg
Q0EgZm9yIGNsaWVudCBjZXJ0cyBhbmQgVGhhd3RlIGZvciB0aGUgc2VydmVy IGNlcnQuDQoNClJl
Z2FyZHMNCk1hdHQNCg0KDQoNCi0tLS0tIE9yaWdpbmFsIE1lc3NhZ2UgLS0t LQ0KRnJvbTogSmFu
IFN0aWFuIEdhYnJpZWxsaSA8c3RpYW5AbWFpbHRpbG1lZy5jb20+DQpUbzog bW9kc3NsLXVzZXJz
QG1vZHNzbC5vcmcNClNlbnQ6IE1vbmRheSwgU2VwdGVtYmVyIDIyLCAyMDA4 IDc6NTQ6MzcgUE0N
ClN1YmplY3Q6IENhbiBpIHVzZSBDQSBzaWduZWQgY2VydCB0byBjcmVhdGUg Y2xpZW50IGF1dGhl
bnRpY2F0aW9uIGNlcnRpZmljYXRlcyA/DQoNCkkgYW0gdHJ5aW5nIHRvIHNl dCB1cCBhcGFjaGUg
d2l0aCBtb2Rfc3NsICwgYW5kIEkgaGF2ZSBpdCB3b3JraW5nIHdpdGggYQ0K U2VsZiBTaWduZWQg
Q0EuDQpCdXQgaSBjYW4gbm90IGdldCBpdCB0byB3b3JrIHdpdGggYSBjZXJ0 IGNyZWF0ZWQgYnkg
dGhhd3RlLmNvbS4NCg0KRG9lcyBhbnlvbmUga25vdyBpZiBpdCBpcyBwb3Nz aWJsZSB0byBkbyB0
aGlzIHdpdGggYSBjcnQgc2lnbmVkIGJ5IGEgInRoaXJkIg0KcGFydHkgd2hl cmUgb25lIGRvZXMg
bm90IGhhdmUgYWNjZXNzIHRvIHRoZWlyIHJvb3QgY2Ega2V5ID8uLg0KDQpJ ZS4NCg0KSSBoYXZl
IGdlbmVyYXRlZCBhIDogYXBhY2hlX3NlcnZlci5rZXkgbWFkZSBhIGFwYWNo ZV9zZXJ2ZXIuLmNz
ciBhbmQgc2VudA0KdGhpcyBmb3Igc2lnbmluZyBieSB0aGF3dGUuY29tDQpS ZWNpdmVkIGEgYXBh
Y2hlX3NlcnZlci5jcnQNCg0KQ3JlYXRlZCBhIGNsaWVudC5rZXkgYW5kIGEg Y2xpZW50LmNzcg0K
U2lnbmVkIGl0IHdpdGggbXkgYXBhY2hlX3NlcnZlci5rZXkgYW5kIGFwYWNo ZV9zZXJ2ZXIuY3J0
DQoNCkNvbnZlcnRlZCB0aGUgY2xpZW50LmtleSxjcnQgdG8gYSBwa2NzMTIg ZmlsZSBhbmQgaW1w
b3J0ZWQgdGhpcyBpbnRvIG15DQpicm93c2VyIGJ1dCBpIGNhbiBub3QgbWFr ZSB0aGluZ3Mgd29y
ay4NCg0KU1NMIHdvcmtzIGZpbmUgb24gdGhlIHNlcnZlciBvbiBwYWdlcyB0 aGF0IGRvZXMgbm90
IHJlcXVpcmUgU1NMIGNsaWVudCBhdXRoLg0KDQpBIEkgc3RhdGVkIGVhcmxp ZXIsIElUIHdvcmtz
IHdoZW4gSSBjcmVhdGUgYW5kIHNlbGYgc2lnbiBhIENBLCBidXQgSSBjYW50 DQptYWtlIGl0IHdv
cmsgd2hlbiBJIHVzZSBhIDNyZCBwYXJ0eSBDQSBhbmQgb25seSBoYXZlIGFw YWNoZV9zZXJ2ZXIu
a2V5LA0KYXBhY2hlX3NlcnZlci5jcnQgLCB0aGF3dGUgcm9vdCBjZXJ0Lg0K DQpCZXN0IHJlZ2Fy
ZHMNCg0KV2l6a2lkbm9ubw0K4oCTxZPigKbDoifCtcOqw59pw4fCrSDDql7v v70k4oC5xaHigKFs
wrJcMMOCasKyw4lowq4sesK0wq7CpsWhK8K0w4bCouKAkynDoC4rLcWh4oCh bMKyW8KsesK7JsKh
w5ss4oCTxaDDoMOraOKEosKrXnTCuMKswrTDhsKnasKr4oSiwqjDqMKtw5om wqJqwrLDiWjCrg0K
DQoNCiAgICAgIA0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fXw0KQXBhY2hlIEludGVyZmFjZSB0 byBPcGVuU1NMICht
b2Rfc3NsKSAgICAgICAgICAgICAgICAgICB3d3cubW9kc3NsLm9yZw0KVXNl ciBTdXBwb3J0IE1h
aWxpbmcgTGlzdCAgICAgICAgICAgICAgICAgICAgICBtb2Rzc2wtdXNlcnNA bW9kc3NsLm9yZw0K
QXV0b21hdGVkIExpc3QgTWFuYWdlciAgICAgICAgICAgICAgICAgICAgICAg ICAgICBtYWpvcmRv
bW9AbW9kc3NsLm9yZw0K
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: Can i use CA signed cert to create client authentication certificates ?
am 23.09.2008 20:36:51 von Matt Stevenson
Hi,
Basically...
SSLCACertificateFile SelfSignedCA Root Cert (pub=
lic part)=0ASSLVerifyClient require or optional=0ASSLVerifyDepth 1 (default=
)
and have the setup from the Thwate cert as per normal for the server=
cert.
Regards=0AMatt
----- Original Message ----=0AFrom: Jan Sti=
an Gabrielli =0ATo: modssl-users@modssl.org=0ASent: T=
uesday, September 23, 2008 1:39:16 PM=0ASubject: Re: Can i use CA signed ce=
rt to create client authentication certificates ?
Ok. This seems like =
a viable solution.=0AIe.=0AI use an approved CA signed cert to verify the s=
ite auhtentisity, and i use a selfsigned CA root for client certificates.=
Can you point me in a direction of how i make this work in apache ?.=
=0AI already have a setup with a Selfsigned CA working for client certifica=
tes.
Createed SelfSignedCA=0A|-->Create and Sign Apache Cert from Self=
Signed CA=0A|-->Create and Sign Client Cert from SelfSigned CA
How do =
I incorporate this with a CA (thawte) signed webserver certificate ?.
=
Best regards
Wizkidnono
Original Message -----------------------=
=0ASounds like your trying to use the thawte apache cert to sign your clien=
t certs? The thawte cert won't have the right attributes to sign a client c=
ert and then try to use it.
You could use your CA for client certs and=
Thawte for the server cert.
Regards=0AMatt
----- Original =
Message ----=0AFrom: Jan Stian Gabrielli =0ATo: modss=
l-users@modssl.org=0ASent: Monday, September 22, 2008 7:54:37 PM=0ASubject:=
Can i use CA signed cert to create client authentication certificates ?=0A=
=0AI am trying to set up apache with mod_ssl , and I have it working with a=
=0ASelf Signed CA.=0ABut i can not get it to work with a cert created by th=
awte.com.
Does anyone know if it is possible to do this with a crt sig=
ned by a "third"=0Aparty where one does not have access to their root ca ke=
y ?..
Ie.
I have generated a : apache_server.key made a apache_se=
rver..csr and sent=0Athis for signing by thawte.com=0ARecived a apache_serv=
er.crt
Created a client.key and a client.csr=0ASigned it with my apach=
e_server.key and apache_server.crt
Converted the client.key,crt to a p=
kcs12 file and imported this into my=0Abrowser but i can not make things wo=
rk.
SSL works fine on the server on pages that does not require SSL cl=
ient auth.
A I stated earlier, IT works when I create and self sign a =
CA, but I cant=0Amake it work when I use a 3rd party CA and only have apach=
e_server.key,=0Aapache_server.crt , thawte root cert.
Best regards=0A=
=0AWizkidnono
ââ¬âÃ
â=C3=A 2â¬Â=
¦ÃÂ=A2'õêßiÃ= E2¡Ã=
 Ãª^�$ââ¬Â¹Ã=85= C2¡Ã=
¢â¬Â¡lò\0Ãâ=9AjÃ=C2=B 2Ãâ=
°hî,zôîæÃ
¡+Ã=
´Ãâ âââ¬â=9C)=C 3=83 .+-Ã
=
¡ââ¬Â=A1lò[ìzà »&Ã=
¡Ãâ=BA,ââ¬âÃ
à ëh=
ââ¢ÃÂ=AB^tøì= C3´Ã=
â çjëââÂ=A2=C 3¨Ã=
¨ÃÂÃÅ=A1&âjò= C3â°h=
î
=0A =0A_____________________________________________=
_________________________=0AApache Interface to OpenSSL (mod_ssl) =
www.modssl.org=0AUser Support Mailing List mod=
ssl-users@modssl.org=0AAutomated List Manager ma=
jordomo@modssl.org
âÅâ¦Ã=A2'µ=C 3ªÃ=9Fi=C3=
Â=AD ê^ï¿=BD$â¹Å¡â¡l²\0Ãj=C2 =B2=
Ãh®,z´®¦š+´Ã¢=E 2)à .=
+-Å¡â=A1l²[¬z»&¡Ã,â=9 3Å Ã =
ëhâ¢Â=AB^t¸¬´Ã§j=C2=A Bâ¢Â=
¨Ã¨ÂÃ=9A&¢j²Ãh®
=0A
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: Can i use CA signed cert to create client authentication certificates ?
am 25.09.2008 10:37:00 von Jan Stian Gabrielli
VGhhbmsgeW91IHZlcnkgbXVjaCBNYXR0IC4NClRoYXQgc29sdmVkIGl0IDop Lg0KDQpJIG5vdyBo
YXZlICJDbGllbnQgQ2VydGlmaWNhdGUgQXV0aGVudGljYXRpb24iIHdvcmtp bmcgd2l0aCBhIENB
IHNpZ25lZCBjZXJ0aWZpY2F0ZSBhbmQgYSBTZWxmIFNpZ25lZCBDQSB3aGlj aCBpbiB0dXJuIHNp
Z25zIGNsaWVudCBjZXJ0cy4NCg0KSWYgaSBjYW4gb25seSBhc2sgZm9yIGEg Yml0IG1vcmUgYWR2
aWNlIHJlZ2FyZGluZyB0aGlzIHNldHVwID8uDQpBbHRob3VnaCBJIHRoaW5r IHRoaXMgcHJvYmxl
bSBtaWdodCBiZSBGaXJlZm94IHNwZWNpZmljIEknbSBob3BpbmcgZm9yIHNv bWUgYWR2aWNlIGhl
cmUuIA0KDQpJbnRlcm5ldCBFeHBsb3JlciBoYW5kbGVzIHRoZSBjbGllbnQg Y2VydGlmaWNhdGVz
IGZpbmUsIHByb21wdHMgbWUgdG8gc2VsZWN0IGNlcnRpZmljYXRlIG9uIGNv bm5lY3Rpb24gdG8g
dGhlIHNpdGUgYW5kIGJhc2ljYWxseSBqdXN0IHdvcmtzIGFmdGVyIHRoYXQu Lg0KDQpCdXQgd2hl
biBGaXJlZm94IGlzIHNldCB0byAiQXNrIG1lIGV2ZXJ5IHRpbWUiIGluc3Rl YWQgb2YgImF1dG8g
c2VsZWN0IGNsaWVudCBjZXJ0aWZpY2F0ZSIgSSBrZWVwIGdldHRpbmcgdGhl IHNlbGVjdCBjZXJ0
aWZpY2F0ZSBwb3AgdXAgc2V2ZXJhbChtdWx0aXBsZSkgdGltZXMgcGVyIHBh Z2UgcmVxdWVzdC9s
b2FkIGZyb20gdGhlIFNTTCBzZWN1cmVkIEFwYWNoZSBzZXJ2ZXIuDQpUaGVy ZSBpcyBvbmx5IG9u
ZSBjZXJ0aWZpY2F0ZSBpbiB0aGUgc2VsZWN0IGZyb20gZGlhbG9nLCBidXQg aXQga2VlcHMgcHJv
bXB0aW5nIG1lIGFuZCBJIGNhbiBzZWUgaXQgbG9hZGluZyAib25lIiBhbmQg Im9uZSIgaXRlbShp
bWFnZSkgb24gdGhlIHdlYnNpdGUuDQpJZiBpIHN3aXRjaCB0byAiQXV0byBz ZWxlY3QgY2VydGlm
aWNhdGUiIGl0IHdvcmtzLiBCdXQgaXQgd291bGQgYmUgbmljZSBub3QgaGF2 aW5nIHRoZSBicm93
c2VyIHByZXNlbnQgdGhlIGNlcnRpZmljYXRlIHdpdGhvdXQgaXQgYmVpbmcg dGhlIHVzZXJzIGNo
b2ljZS4gQW5kIGhvbmVzdGx5LCBjaG9vc2luZyBpdCBvbmNlIHBlciBzZXNz aW9uIHBlciBzaXRl
IHNob3VsZCBiZSBzdWZmaWNpZW50DQogDQpJIHNob3VsZCBwcm9iYWJseSBt ZW50aW9uIHRoYXQg
dGhlIHBhZ2Ugc2VydmVkIHVwIGlzIGJlaGluZCBhIG1vZF9wcm94eSBtb2R1 bGUuIEJ1dCB0aGlz
IGNvbnRlbnQgc2hvdWxkIG5vdCBkaWZmZXIgZm9yIEZpcmVmb3gsIGFuZCBj ZXJ0aWZpY2F0ZSBz
ZWxlY3Rpb24uIE9yIGRvZXMgdGhlIG1vZF9zc2wgbW9kdWxlIHByb21wdCBm b3IgYSBjbGllbnQg
Y2VydGlmaWNhdGUgZm9yIGVhY2ggaXRlbSBsb2FkZWQgPw0KDQpJIGhhdmUg Z29vZ2xlZCB0aGlz
IGJ1dCBjYW4ndCBmaW5kIGFueSBnb29kIGFuc3dlcnMuDQpTb21lIHNheSBp dCBpcyBiZWNhdXNl
IG9mIGltYWdlIG9iamVjdHMgbG9hZGluZy4gYnV0IHdoeS4gDQogDQpCZXN0 IHJlZ2FyZHMNCg0K
SmFuIFN0aWFuIEdhYnJpZWxsaQ0KDQpPcmlnaW5hbCBNZXNzYWdlIC0tLS0t LS0tLS0tLS0tLS0t
LS0tLS0tDQpIaSwNCg0KQmFzaWNhbGx5Li4uDQoNClNTTENBQ2VydGlmaWNh dGVGaWxlIFNlbGZT
aWduZWRDQSBSb290IENlcnQgKHB1YmxpYyBwYXJ0KQ0KU1NMVmVyaWZ5Q2xp ZW50IHJlcXVpcmUg
b3Igb3B0aW9uYWwNClNTTFZlcmlmeURlcHRoIDEgKGRlZmF1bHQpDQoNCmFu ZCBoYXZlIHRoZSBz
ZXR1cCBmcm9tIHRoZSBUaHdhdGUgY2VydCBhcyBwZXIgbm9ybWFsIGZvciB0 aGUgc2VydmVyIGNl
cnQuDQoNClJlZ2FyZHMNCk1hdHQNCg0KLS0tLS0gT3JpZ2luYWwgTWVzc2Fn ZSAtLS0tDQpGcm9t
OiBKYW4gU3RpYW4gR2FicmllbGxpIDxzdGlhbkBtYWlsdGlsbWVnLmNvbT4N ClRvOiBtb2Rzc2wt
dXNlcnNAbW9kc3NsLm9yZw0KU2VudDogVHVlc2RheSwgU2VwdGVtYmVyIDIz LCAyMDA4IDE6Mzk6
MTYgUE0NClN1YmplY3Q6IFJlOiBDYW4gaSB1c2UgQ0Egc2lnbmVkIGNlcnQg dG8gY3JlYXRlIGNs
aWVudCBhdXRoZW50aWNhdGlvbiBjZXJ0aWZpY2F0ZXMgPw0KDQpPay4gVGhp cyBzZWVtcyBsaWtl
IGEgdmlhYmxlIHNvbHV0aW9uLg0KSWUuDQpJIHVzZSBhbiBhcHByb3ZlZCBD QSBzaWduZWQgY2Vy
dCB0byB2ZXJpZnkgdGhlIHNpdGUgYXVodGVudGlzaXR5LCBhbmQgaSB1c2Ug YSBzZWxmc2lnbmVk
IENBIHJvb3QgZm9yIGNsaWVudCBjZXJ0aWZpY2F0ZXMuDQoNCkNhbiB5b3Ug cG9pbnQgbWUgaW4g
YSBkaXJlY3Rpb24gb2YgaG93IGkgbWFrZSB0aGlzIHdvcmsgaW4gYXBhY2hl ID8uDQpJIGFscmVh
ZHkgaGF2ZSBhIHNldHVwIHdpdGggYSBTZWxmc2lnbmVkIENBIHdvcmtpbmcg Zm9yIGNsaWVudCBj
ZXJ0aWZpY2F0ZXMuDQoNCkNyZWF0ZWVkIFNlbGZTaWduZWRDQQ0KfC0tPkNy ZWF0ZSBhbmQgU2ln
biBBcGFjaGUgQ2VydCBmcm9tIFNlbGZTaWduZWQgQ0ENCnwtLT5DcmVhdGUg YW5kIFNpZ24gQ2xp
ZW50IENlcnQgZnJvbSBTZWxmU2lnbmVkIENBDQoNCkhvdyBkbyBJIGluY29y cG9yYXRlIHRoaXMg
d2l0aCBhIENBICh0aGF3dGUpIHNpZ25lZCB3ZWJzZXJ2ZXIgY2VydGlmaWNh dGUgPy4NCg0KQmVz
dCByZWdhcmRzDQoNCldpemtpZG5vbm8NCg0KT3JpZ2luYWwgTWVzc2FnZSAt LS0tLS0tLS0tLS0t
LS0tLS0tLS0tLQ0KU291bmRzIGxpa2UgeW91ciB0cnlpbmcgdG8gdXNlIHRo ZSB0aGF3dGUgYXBh
Y2hlIGNlcnQgdG8gc2lnbiB5b3VyIGNsaWVudCBjZXJ0cz8gVGhlIHRoYXd0 ZSBjZXJ0IHdvbid0
IGhhdmUgdGhlIHJpZ2h0IGF0dHJpYnV0ZXMgdG8gc2lnbiBhIGNsaWVudCBj ZXJ0IGFuZCB0aGVu
IHRyeSB0byB1c2UgaXQuDQoNCllvdSBjb3VsZCB1c2UgeW91ciBDQSBmb3Ig Y2xpZW50IGNlcnRz
IGFuZCBUaGF3dGUgZm9yIHRoZSBzZXJ2ZXIgY2VydC4NCg0KUmVnYXJkcw0K TWF0dA0KDQoNCg0K
LS0tLS0gT3JpZ2luYWwgTWVzc2FnZSAtLS0tDQpGcm9tOiBKYW4gU3RpYW4g R2FicmllbGxpIDxz
dGlhbkBtYWlsdGlsbWVnLmNvbT4NClRvOiBtb2Rzc2wtdXNlcnNAbW9kc3Ns Lm9yZw0KU2VudDog
TW9uZGF5LCBTZXB0ZW1iZXIgMjIsIDIwMDggNzo1NDozNyBQTQ0KU3ViamVj dDogQ2FuIGkgdXNl
IENBIHNpZ25lZCBjZXJ0IHRvIGNyZWF0ZSBjbGllbnQgYXV0aGVudGljYXRp b24gY2VydGlmaWNh
dGVzID8NCg0KSSBhbSB0cnlpbmcgdG8gc2V0IHVwIGFwYWNoZSB3aXRoIG1v ZF9zc2wgLCBhbmQg
SSBoYXZlIGl0IHdvcmtpbmcgd2l0aCBhDQpTZWxmIFNpZ25lZCBDQS4NCkJ1 dCBpIGNhbiBub3Qg
Z2V0IGl0IHRvIHdvcmsgd2l0aCBhIGNlcnQgY3JlYXRlZCBieSB0aGF3dGUu Y29tLg0KDQpEb2Vz
IGFueW9uZSBrbm93IGlmIGl0IGlzIHBvc3NpYmxlIHRvIGRvIHRoaXMgd2l0 aCBhIGNydCBzaWdu
ZWQgYnkgYSAidGhpcmQiDQpwYXJ0eSB3aGVyZSBvbmUgZG9lcyBub3QgaGF2 ZSBhY2Nlc3MgdG8g
dGhlaXIgcm9vdCBjYSBrZXkgPy4uDQoNCkllLg0KDQpJIGhhdmUgZ2VuZXJh dGVkIGEgOiBhcGFj
aGVfc2VydmVyLmtleSBtYWRlIGEgYXBhY2hlX3NlcnZlci4uY3NyIGFuZCBz ZW50DQp0aGlzIGZv
ciBzaWduaW5nIGJ5IHRoYXd0ZS5jb20NClJlY2l2ZWQgYSBhcGFjaGVfc2Vy dmVyLmNydA0KDQpD
cmVhdGVkIGEgY2xpZW50LmtleSBhbmQgYSBjbGllbnQuY3NyDQpTaWduZWQg aXQgd2l0aCBteSBh
cGFjaGVfc2VydmVyLmtleSBhbmQgYXBhY2hlX3NlcnZlci5jcnQNCg0KQ29u dmVydGVkIHRoZSBj
bGllbnQua2V5LGNydCB0byBhIHBrY3MxMiBmaWxlIGFuZCBpbXBvcnRlZCB0 aGlzIGludG8gbXkN
CmJyb3dzZXIgYnV0IGkgY2FuIG5vdCBtYWtlIHRoaW5ncyB3b3JrLg0KDQpT U0wgd29ya3MgZmlu
ZSBvbiB0aGUgc2VydmVyIG9uIHBhZ2VzIHRoYXQgZG9lcyBub3QgcmVxdWly ZSBTU0wgY2xpZW50
IGF1dGguDQoNCkEgSSBzdGF0ZWQgZWFybGllciwgSVQgd29ya3Mgd2hlbiBJ IGNyZWF0ZSBhbmQg
c2VsZiBzaWduIGEgQ0EsIGJ1dCBJIGNhbnQNCm1ha2UgaXQgd29yayB3aGVu IEkgdXNlIGEgM3Jk
IHBhcnR5IENBIGFuZCBvbmx5IGhhdmUgYXBhY2hlX3NlcnZlci5rZXksDQph cGFjaGVfc2VydmVy
LmNydCAsIHRoYXd0ZSByb290IGNlcnQuDQoNCkJlc3QgcmVnYXJkcw0KDQpX aXpraWRub25vDQrD
ouKCrOKAnMOF4oCcw6LigqzCpsODwqInw4LCtcODwqrDg8W4acOD4oChw4LC rSDDg8KqXsOvwr/C
vSTDouKCrMK5w4XCocOi4oKswqFsw4LCslwww4PigJpqw4LCssOD4oCwaMOC wq4sesOCwrTDgsKu
w4LCpsOFwqErw4LCtMOD4oCgw4LCosOi4oKs4oCcKcODIC4rLcOFwqHDouKC rMKhbMOCwrJbw4LC
rHrDgsK7JsOCwqHDg+KAuizDouKCrOKAnMOFIMODIMODwqtow6LigJ7CosOC wqtedMOCwrjDgsKs
w4LCtMOD4oCgw4LCp2rDgsKrw6LigJ7CosOCwqjDg8Kow4LCrcODxaEmw4LC omrDgsKyw4PigLBo
w4LCrg0KDQoNCiAgICAgIA0KX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KQXBhY2hlIEludGVy ZmFjZSB0byBPcGVu
U1NMIChtb2Rfc3NsKSAgICAgICAgICAgICAgICAgIHd3dy5tb2Rzc2wub3Jn DQpVc2VyIFN1cHBv
cnQgTWFpbGluZyBMaXN0ICAgICAgICAgICAgICAgICAgICAgIG1vZHNzbC11 c2Vyc0Btb2Rzc2wu
b3JnDQpBdXRvbWF0ZWQgTGlzdCBNYW5hZ2VyICAgICAgICAgICAgICAgICAg ICAgICAgICAgIG1h
am9yZG9tb0Btb2Rzc2wub3JnDQrigJPFk+KApsOiJ8K1w6rDn2nDh8KtIMOq Xu+/vSTigLnFoeKA
oWzCslwww4JqwrLDiWjCrix6wrTCrsKmxaErwrTDhsKi4oCTKcOgListxaHi gKFswrJbwqx6wrsm
wqHDmyzigJPFoMOgw6to4oSiwqtedMK4wqzCtMOGwqdqwqvihKLCqMOowq3D mibComrCssOJaMKu
DQoNCg0KICAgICAgDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fDQpBcGFjaGUgSW50ZXJmYWNl IHRvIE9wZW5TU0wg
KG1vZF9zc2wpICAgICAgICAgICAgICAgICAgIHd3dy5tb2Rzc2wub3JnDQpV c2VyIFN1cHBvcnQg
TWFpbGluZyBMaXN0ICAgICAgICAgICAgICAgICAgICAgIG1vZHNzbC11c2Vy c0Btb2Rzc2wub3Jn
DQpBdXRvbWF0ZWQgTGlzdCBNYW5hZ2VyICAgICAgICAgICAgICAgICAgICAg ICAgICAgIG1ham9y
ZG9tb0Btb2Rzc2wub3JnDQo=
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: Can i use CA signed cert to create client authentication certificates ?
am 26.09.2008 19:02:15 von Matt Stevenson
Hi,
Asking every time does make it complicated. I can't remember if th=
e firefox default is to ask or auto supply (and it has changed behavior bet=
ween 1/2/3 AFAIK), I have it as ask every time.
Anyway the ask every t=
ime FF behavior isn't very nice for users (auto supply is probably fine for=
most users). FF will also ask for a cert every session ID change.
As =
you know there isn't an ask once option, which would be very nice. I don't=
think there is much that can be done to "fix" it other than coding up an "=
ask once" option in FF (which I haven't got the time to do :( ).
Anywa=
y you may also want to use/need the "SSLOptions +OptRenegotiate" if you hav=
e portions of the site that do and don't require client certs. It can help =
greatly with IE. Sometimes IE goes a little funny and renegotiates sessions=
all the time going from non-client cert to client cert areas.
=0ARega=
rds=0AMatt
=0A----- Original Message ----=0AFrom: Jan Stian Gabrielli =
=0ATo: modssl-users@modssl.org=0ASent: Thursday, Sept=
ember 25, 2008 9:37:00 AM=0ASubject: Re: Can i use CA signed cert to create=
client authentication certificates ?
Thank you very much Matt .=0ATha=
t solved it :).
I now have "Client Certificate Authentication" working=
with a CA signed certificate and a Self Signed CA which in turn signs clie=
nt certs.
If i can only ask for a bit more advice regarding this setup=
?.=0AAlthough I think this problem might be Firefox specific I'm hoping fo=
r some advice here.
Internet Explorer handles the client certificates=
fine, prompts me to select certificate on connection to the site and basic=
ally just works after that..
But when Firefox is set to "Ask me every =
time" instead of "auto select client certificate" I keep getting the select=
certificate pop up several(multiple) times per page request/load from the =
SSL secured Apache server.=0AThere is only one certificate in the select fr=
om dialog, but it keeps prompting me and I can see it loading "one" and "on=
e" item(image) on the website.=0AIf i switch to "Auto select certificate" i=
t works. But it would be nice not having the browser present the certificat=
e without it being the users choice. And honestly, choosing it once per ses=
sion per site should be sufficient
I should probably mention that the =
page served up is behind a mod_proxy module. But this content should not di=
ffer for Firefox, and certificate selection. Or does the mod_ssl module pro=
mpt for a client certificate for each item loaded ?
I have googled thi=
s but can't find any good answers.=0ASome say it is because of image object=
s loading. but why.
Best regards
Jan Stian Gabrielli
Origin=
al Message -----------------------=0AHi,
Basically...
SSLCACe rtif=
icateFile SelfSignedCA Root Cert (public part)=0ASSLVerifyClient require or=
optional=0ASSLVerifyDepth 1 (default)
and have the setup from the Thw=
ate cert as per normal for the server cert.
Regards=0AMatt
----- =
Original Message ----=0AFrom: Jan Stian Gabrielli =0A=
To: modssl-users@modssl.org=0ASent: Tuesday, September 23, 2008 1:39:16 PM=
=0ASubject: Re: Can i use CA signed cert to create client authentication ce=
rtificates ?
Ok. This seems like a viable solution.=0AIe.=0AI use an a=
pproved CA signed cert to verify the site auhtentisity, and i use a selfsig=
ned CA root for client certificates.
Can you point me in a direction o=
f how i make this work in apache ?.=0AI already have a setup with a Selfsig=
ned CA working for client certificates.
Createed SelfSignedCA=0A|-->Cr=
eate and Sign Apache Cert from SelfSigned CA=0A|-->Create and Sign Client C=
ert from SelfSigned CA
How do I incorporate this with a CA (thawte) si=
gned webserver certificate ?.
Best regards
Wizkidnono
Origin=
al Message -----------------------=0ASounds like your trying to use the tha=
wte apache cert to sign your client certs? The thawte cert won't have the r=
ight attributes to sign a client cert and then try to use it.
You coul=
d use your CA for client certs and Thawte for the server cert.
Regards=
=0AMatt
----- Original Message ----=0AFrom: Jan Stian Gabrielli =
=0ATo: modssl-users@modssl.org=0ASent: Monday, Septem=
ber 22, 2008 7:54:37 PM=0ASubject: Can i use CA signed cert to create clien=
t authentication certificates ?
I am trying to set up apache with mod_=
ssl , and I have it working with a=0ASelf Signed CA.=0ABut i can not get it=
to work with a cert created by thawte.com.
Does anyone know if it is =
possible to do this with a crt signed by a "third"=0Aparty where one does n=
ot have access to their root ca key ?..
Ie.
I have generated a : =
apache_server.key made a apache_server..csr and sent=0Athis for signing by =
thawte.com=0ARecived a apache_server.crt
Created a client.key and a cl=
ient.csr=0ASigned it with my apache_server.key and apache_server.crt
C=
onverted the client.key,crt to a pkcs12 file and imported this into my=0Abr=
owser but i can not make things work.
SSL works fine on the server on =
pages that does not require SSL client auth.
A I stated earlier, IT wo=
rks when I create and self sign a CA, but I cant=0Amake it work when I use =
a 3rd party CA and only have apache_server.key,=0Aapache_server.crt , thawt=
e root cert.
Best regards
Wizkidnono
âââ=80=
‰â¬ÅÃâ¦Ã¢â¬ ÅÃ=C2=
¢Ã¢â¬Ã¦ÃÆâ 'Ãâ=
õÃÆêÃÆÃ
 =B8iÃ=C6=
ââ¬Â¡ÃâÃÂ=AD ÃÆÃ=C2=
=AA^ïÿý$ââ= E2¬=
ùÃâ¦Ã¡Ã¢ââ ¬=C3=
Â=A1lÃâÃÂ=B2\0ÃÆâ=E2 ¬Å¡j=
ÃâòÃÆââ¬Â° hÃâ=
ÃÂ=AE,zÃâôÃâ= C3®Ã=
âæÃâ¦ÃÂ=A1+Ã=E 2Ã=
´ÃÆââ ÃââÃÂ=A2=
ââ‰â¬Å)ÃÆ .+-Ãâ=A6=
áâââ¬ÃÂ=A1l=C 3â=
ò[ÃâÃÂzÃâÃ= 82»&Ã=
âáÃÆââ¬Âº,=C3=8 3¢â=
â‰â¬ÅÃâ=A6 ÃÆ Ã=C6=
ÃÂ=ABhâââ¬Å¾ÃÂ=A 2Ãâ=
ÃÂ=AB^tÃâøÃâ= C3¬Ã=
âôÃÆââ ÃâÃ=82=
§jÃâëâââ=82=A CžÃ=
¢ÃâèÃÆèà â=C3=
ÂÃÆÃ
Â=A1&ÃâÃÂ=A 2jÃâ=
òÃÆââ¬Â°hÃ=E2=8 0ÃÂ=
®
=0A______________________________________________________=
________________=0AApache Interface to OpenSSL (mod_ssl) w=
ww.modssl.org=0AUser Support Mailing List modssl-users=
@modssl.org=0AAutomated List Manager majordomo@m=
odssl.org
ââ¬âÃ
ââ=E2 ¬Â¦=C3=
Â=A2'õêßiÃâ= A1à=
ê^�$ââ¬Â¹Ã=85= C2¡Ã¢â=
¬Â¡lò\0Ãâ=9Ajò=C3=8 3â°h=C3=
Â=AE,zôîæÃ
¡+ ô=C3=
â âââ¬â)à .+-Ã
¡=C3=
¢â¬Â¡lò[ìzû&=C 3¡Ã=
âº,ââ¬âÃ
à ëhâ=E2=
¢Ã«^tøìÃ=C2= B4Ãâ=
ÃÂ=A7jëââ¢ÃÂ=A 8è=
ÃÂÃÅ¡&âjòÃ=E2= 80°hÃ=C2=
®
=0A______________________________________________________=
________________=0AApache Interface to OpenSSL (mod_ssl) =
www.modssl.org=0AUser Support Mailing List modssl-user=
s@modssl.org=0AAutomated List Manager majordomo@=
modssl.org
âÅâ¦Ã=A2'µê=C3= 9FiÃÂ=
ê^ï¿=BD$â¹Å¡â¡l²\0Ãj=C2 ²Ã=89h=C2=
=AE,z´®¦š+´Ã¢â=93)=C 3=A0.+-Å¡=
â=A1l²[¬z»&¡Ã,âÅ=A0= C3 Ã=ABh=E2=
¢Â«^t¸¬´Ã§j«â=A2 ¨è=C2=
Ã=9A&¢j²Ãh®
=0A
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Embedded purposes
am 06.10.2008 20:32:45 von post
If a user is trying to authenticate himself with an SSL web server, he
needs to present a valid personal certificate, I understand. But what if
the purpose of the client certificate is not valid? I mean, for one
user's certificate, Mozilla SeaMonkey reports: "This certificate has
been verified for the following uses: Email Signer Certificate and Email
Recipient Certificate". Will an SSL web server accept such a client
certificate for authenticating an SSL web connection?
Gunnar Vestergaard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org