export client certificate CN?

I am currently using mod_ssl to verify client certs.
are issued by trusted CAs (e.g. SSLVerifyClient
require), but then using username/password for
application identification/authorization, passing this
to Oracle via Tomcat using JAVA. However, I'd like to
be able to use client certs. for I/A by exporting the
CN (or perhaps serial number) when verifying. I have
tried to add "SSLOptions +ExportCertData", but I am
not sure where this data is being exported too! This
seemed like the appropriate SSL Option to be able to
parse the cert data, but please correct me if I am
wrong. Does anyone have any implementation
suggestions exporting the CN from client certs,
particularly for retrieving this information with
JAVA?
TIA!

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around=20
http://mail.yahoo.com=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: export client certificate CN?

I am trying to use mod_auth_ldap with apache2, and I am having trouble
figuring out how to generate a trusted Certificate Authority
certificate. I tried using the Netscape certificate database file as
the apache docs suggest, but I'm still getting a complaint from LDAP
that "LDAP: ssl connections not supported".

Can I use openssl to make a DER_FILE or a BASE64_FILE? Has anyone here
had experience getting this to work?

Thanks for your time.

Best,
Andrew

I am totally lost on this. I appreciate any help
>>> junglist2000@YAHOO.com 8/22/2005 9:17 AM >>>
I am currently using mod_ssl to verify client certs.
are issued by trusted CAs (e.g. SSLVerifyClient
require), but then using username/password for
application identification/authorization, passing this
to Oracle via Tomcat using JAVA. However, I'd like to
be able to use client certs. for I/A by exporting the
CN (or perhaps serial number) when verifying. I have
tried to add "SSLOptions +ExportCertData", but I am
not sure where this data is being exported too! This
seemed like the appropriate SSL Option to be able to
parse the cert data, but please correct me if I am
wrong. Does anyone have any implementation
suggestions exporting the CN from client certs,
particularly for retrieving this information with
JAVA?
TIA!

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org

User Support Mailing List modssl-users@modssl.org

Automated List Manager majordomo@modssl.org

Andrew Musselman
andrew@cwu.edu
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: export client certificate CN?

>I am trying to use mod_auth_ldap with apache2, and I am having=20
>trouble figuring out how to generate a trusted Certificate=20
>Authority certificate. I tried using the Netscape certificate=20
>database file as the apache docs suggest, but I'm still=20
>getting a complaint from LDAP that "LDAP: ssl connections not=20
>supported".

Not sure but this sounds like you haven't enabled SSL, not that it cant
negotiate the session.=20

>Can I use openssl to make a DER_FILE or a BASE64_FILE? Has=20
>anyone here had experience getting this to work?

Here's how I've generated server cert requests (PKCS #10 which works
fine with Netscape):
openssl req -config openssl.cnf -new -out hostname.csr
openssl rsa -in privkey.pem -out hostname.key

Then you'll need to tell point apache to the right certs:
SSLCertificateFile /server.crt
SSLCertificateKeyFile /server.key
SLCACertificateFile /CA.crt

If you want to generate the certs yourself rather then submit the CSRs
to a CA:
openssl x509 -in hostname.csr -out hostname.crt -req -signkey
hostname.key -days 365
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: export client certificate CN?

This is a multi-part message in MIME format.

------_=_NextPart_001_01C5A7EA.93BCB2EF
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Add the following line to you httpd configuration:=20

JkEnvVar SSL_CLIENT_S_DN none

JkEnvVar SSL_CLIENT_CERT none

This will make the client cert and distinguished name available through =
Apache enviroment variables.

Then in Java (within a JSP/servlet):

String DN =3D (String) request.getAttribute("SSL_CLIENT_S_DN"); // can =
also get the whole cert: SSL_CLIENT_CERT

And parse out the common name.

Nadeem


________________________________

From: owner-modssl-users@modssl.org on behalf of August West
Sent: Mon 8/22/2005 12:17 PM
To: modssl-users@modssl.org
Subject: export client certificate CN?



I am currently using mod_ssl to verify client certs.
are issued by trusted CAs (e.g. SSLVerifyClient
require), but then using username/password for
application identification/authorization, passing this
to Oracle via Tomcat using JAVA. However, I'd like to
be able to use client certs. for I/A by exporting the
CN (or perhaps serial number) when verifying. I have
tried to add "SSLOptions +ExportCertData", but I am
not sure where this data is being exported too! This
seemed like the appropriate SSL Option to be able to
parse the cert data, but please correct me if I am
wrong. Does anyone have any implementation
suggestions exporting the CN from client certs,
particularly for retrieving this information with
JAVA?
TIA!

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org



------_=_NextPart_001_01C5A7EA.93BCB2EF
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64

eJ8+IhQNAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcA GAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEgAEAIgAAAFJFOiBl eHBvcnQgY2xpZW50
IGNlcnRpZmljYXRlIENOPwDFCwEFgAMADgAAANUHCAAXAAkAOAAyAAIAcAEB IIADAA4AAADVBwgA
FwAJADkAEwACAFIBAQmAAQAhAAAAMzRCMTY4QzY4NDUyOTk0RTk1NEExMTIz MTFCRjZGNTkA/QYB
A5AGADATAAA4AAAAAwA2AAAAAABAADkAZ4KeguqnxQEeAD0AAQAAAAUAAABS RTogAAAAAAIBRwAB
AAAAPAAAAGM9VVM7YT0gO3A9Qm9veiBBbGxlbiBIYW1pbDtsPU1DTE5FWFZT MDctMDUwODIzMTM1
NzE5Wi0xOTc5AB4ASQABAAAAHgAAAGV4cG9ydCBjbGllbnQgY2VydGlmaWNh dGUgQ04/AAAAQABO
AIAVyw81p8UBHgBaAAEAAAAeAAAAb3duZXItbW9kc3NsLXVzZXJzQG1vZHNz bC5vcmcAAAACAVsA
AQAAAFkAAAAAAAAAgSsfpL6jEBmdbgDdAQ9UAgAAAABvd25lci1tb2Rzc2wt dXNlcnNAbW9kc3Ns
Lm9yZwBTTVRQAG93bmVyLW1vZHNzbC11c2Vyc0Btb2Rzc2wub3JnAAAAAAIB XAABAAAAIwAAAFNN
VFA6T1dORVItTU9EU1NMLVVTRVJTQE1PRFNTTC5PUkcAAB4AXQABAAAADAAA AEF1Z3VzdCBXZXN0
AAIBXgABAAAAQAAAAAAAAACBKx+kvqMQGZ1uAN0BD1QCAAAAAEF1Z3VzdCBX ZXN0AFNNVFAAanVu
Z2xpc3QyMDAwQHlhaG9vLmNvbQACAV8AAQAAABwAAABTTVRQOkpVTkdMSVNU MjAwMEBZQUhPTy5D
T00AHgBmAAEAAAAFAAAAU01UUAAAAAAeAGcAAQAAAB4AAABvd25lci1tb2Rz c2wtdXNlcnNAbW9k
c3NsLm9yZwAAAB4AaAABAAAABQAAAFNNVFAAAAAAHgBpAAEAAAAXAAAAanVu Z2xpc3QyMDAwQHlh
aG9vLmNvbQAAHgBwAAEAAAAeAAAAZXhwb3J0IGNsaWVudCBjZXJ0aWZpY2F0 ZSBDTj8AAAACAXEA
AQAAABsAAAABxac80QbJjBRNHLtBvbFtesx5u2QzACtsZrEAHgB0AAEAAAAY AAAAbW9kc3NsLXVz
ZXJzQG1vZHNzbC5vcmcAHgAaDAEAAAAMAAAASG9kYSBOYWRlZW0AHgAdDgEA AAAeAAAAZXhwb3J0
IGNsaWVudCBjZXJ0aWZpY2F0ZSBDTj8AAAACAQkQAQAAAP8LAAD7CwAA/SwA AExaRnWz1xpgAwAK
AHJjcGcxMjWCMgNDaHRtbDEDMD8BAwH3CoACpAPjAgBjaMEKwHNldDAgBxMC gP8QAwBQBFYIVQey
EdUOUQMB3RDXMgYABsMR1TMERhDZWRLvZjQDxhGKNQPGVHxhaANxAoAR4wjv Cfc7ext/DjA1HJ8c
cRHhDGBjZwBQCwkBZDM2EWALpTSyIBACKlwOsgGQZxTwFwqjEeMhyDQU8Dwh RABPQ1RZUEUgSABU
TUwgUFVCTABJQyAiLS8vV0QzQyVgRFREJHQzhC4yJWBFTiI+Is3zIm8noTE4 I9AkgibvJ/+NKnAz
IWApUEVBRCmtLw7xKs8tTyjUNg7wPE0oRVRBB7BBMEA9IqZHCfAEkGF0BbAi FxBoT05UJrBUMNAF
4UWieBDxbmdlBlJ2EzEHMyEAkAIgIDYuNS51AcAzJmE4Jt4uryjjN4I3I9BU SVRMRSmuIjQO8GV4
cBshIGPebAiQAjA5EASQdAaQDeCjMUAy0ENOPyhONSPQ/i83PzVvKiU4gTug LC8qfwU/dDURYDxC
T0RZRz7tINFAD2c5NiPQREBJViBpZD1EYE+QV0FSZQtQeVQ4sAkU4Dg5ILAg ZGlyuj0/kHI+4D9T
ACEgAADPRhEKsUcCEPBccQMhRnX/EWBBz0LfQ+ZF30bvR/o/KVw2NEvaSC8o 1DQpMUbJMbEgZgDQ
ZT0HEzkQURsCPSMwUuMgAJB63VHwMkvLGDADMGMT8AOy/wHQSA9Qv1NfAfFV Lz25SZVXPykBwCLM
NikxUD7gQWBkZCB0aDLQAhBsdxsQA/AysCA5MDEQXTBvlCB5CGAgDrB0cF0g dQWgbjngZwhwMUAz
oTr/WOcisFj4YD9hSQqiYggKgf9L9gqiZBhInQHAO5Fc0Ui//0nPTuBcs08f YUpUb2pfWH+AIEpr
RW52VgrBYFNTTF9DJQAx4V9AU19ETiBuAiBl/2F/YU9iX2NvZH9lj2afZ69/ aL9pz2rfa+9s/24P
bxxD/EVSUaBwT3FfgX9zf3SP/3Wfdq93v3jPed99H3v/iy9pWK1UaAQAIAPw XaAg3QDAa15RXVE5
KSAAcF0g7UtQcznAMrB1BABdUF0g7G5hB4CRMHYLcAtgAmBjkCIDYHVnaFmP iLNB7wqwEPAy0Anw
dktgA3A5UueSwAchkxFzLoIfge+C//+ED4Ufhi+HP4hPiV+Kb4t/v4yPjZ+O qwnwRFADoEqSsTwg
KAPwXUClsaYQSlMcUC8RMDMQkyB0KTr/mC+X/5kPmh+bL5w/nU+eX7+fb6B/ oY+in6OvWOlTS6Cb
XeJwET2mILYkKSAeAJZxClCRoC4ywHRBAkBJBRBidTogKCJvTSJ4KTsgJWA5 EAORB0Bz316At/GT
z6+DXUJ3GkCTIf85kmAQf52o76i/qc+q36vv/6z/rg+vH7AvsT+yT7NftG/d WOlBkVEKsREwIAhg
BUD/kEMDcARgA6CSYpbfv0/AX//Bb8J/w4/En8Wvxr/Hz8jfJ8nvyv9Y2k5h AQBlbf/P78+/0M/R
39Lv0//VDyNkvSkxL1Fy5E/lXyjFMCvx/yXARDBLyd9Z54/on+mv1f9/Sj9L T0xfR+8omA4gQUFS
n/AZ4h/tH+4vQ/FIUl0wjQGgSZFQOLA9LTFTvCUAUHEA4HFqDGBsZOJiAzB+ IF/6kvpR8ND/XjHg
g/S/9c5OP9hPVg9Rab8aJFdv2dI7gFifPxo4K/GuQvAb+kED50aV0Tr2zK/j 8gWK31nNUHcxES0W
EZEQsGwtdacRc0AKdE4uMWC2cDOxYmURAGz98KBv8KC7D5Tjk5AK4JEg/le3 sfKNQ/HzrF4i+78E
z78F37XjOVEHbwh/CYdNM7HYOC8yJoADoDA7gPNg9jo24CTATQ7PD98Q7xH/ +xMPjvVvFL8VzwmH
DM/2gv8KfwuEGM8Z3xrvG/8dD7XF4HViamVjFK8fnwl4/zi/OcchT/aCOlEk DyUfJi/9Osk1MOHn
FSuPMs8w3zHv/1rs4A/hFepP6181L/Xv7o//1/89nz6v11/0P9ksQU9Wj+sC PwONSZEwbS0wX6C3
cHGQwGx5IArgXeIikV/7IsFeYnYLAC3wS5AtSZbAfzXPNt8yHPSQLl9CxJGQ c3u3oF8gYkuQ7/AO
QZIxQ0pBj4AozoBnLn+CVv1M00MtU04PTx8yHLdy77D4ZSksDBDNdKaQS7RR T7dC4grikmIvQtAi
wHcj0D9fIF2A9KFVb1Z/UEtwcOstUC4haRdxafhQkMAt9Llf8S9hzXC8oLZA el/T/1jAW7JZn7vY
kZBcf12PMhz5TJFPcgFgkyGVsKYQHnCGbS4hS6VKQVZBTfyBJ9EmbmJzcDtE WagnYTAJaUgKEGVM
wblYwEknkWAtUJASb2Qv/2U/MhwMIJEwkxJin7wTuqDPCuFNLFwySrAvQVLy LNT/S9K8UW1fbm8y
HC/AttBzgfZwCwAMQHCPgKcRlnDxwOhudW0MIHK3UHDfQuL/vJClgUzES9Fp H2ovazxKwP8MQEzA
dP92D2ZNtkCSMUyRZ90wkWC4wk9wX+KPgCsqRSzjQ5EBRC4wYSL/WMRKwHnf QuKScH9vgH8yHPxu
b5EgUrBREXshURFj4v/vkISxpaCPgAwgS9Is1IKT/G8hfB99L2tLpWBkD4ff /zH+zTDdYIKRbOOF
f7wWX3H/BzCVcHkQLkG40WdAg4NMgv9wVm0/kP8x/s0EzaO9AYsT+1jEX5Bl W8CTr0LEzeBLMf8q
AEwAvNAt8Eqzl5+YrzIcnncHMHvvjb9rHkRvDpD5X2BueRdwvNB/IqWSnI/9 UkRtnCHOcC2AX9Of
D6Aff5ItDiC6wLfAg6N0K3fiZt8HMS02pq+do02yLKjfqe/3mb9f4EsQbPSQ S4Fzcrdw/4JiZ8B0
k4rxMgBcQQHgX+P7rm9642m8ULAfsS8yHGjSxy/vuH8yDVRJQYzMu5//vK81 v78PwB36k8RPxV/G
Gb/BD8IfwCylULXfQtNZzWD8IFkBsYywur/IL7zeWIH/XCAMkaOQnuDMTKM/ pE/L5PkXUGFp8cAM
QFPQlRIMIP8OUc/imoAHMFNwKgC1r4ZH/QcwdfhAzF/Nb8AvJzxz0EVCw2hY QGY9IkRwdDBwOi8v
AeDTsC555cvyLp3gbSICfC1g+iAd5hJm+iDZcFNge0hZgFBFUkxJTkuDIHvc T91Tff2x3wGasOaA
XP5j+YH6EAPJ4D/dUjyvRcr7PT8qmkHYoNdv2H/DL+uvv+y/7c/GL+if6a/Z m0FC0L5jlSHVv0Li
+DBTcHIBUrtnE3hgbpYS819C4ihMFf4p0D/RT2tK99/47/n/+w///B/9L/4/ /08AXwFvAn8Dj/8E
nwWvBr8HzwjfCe8K/wwP/w0fDi8PPxBPEV8SbxN/FI//FZ8Wrxe/GM8Z3xrv G/8dD/8eHx8vID8h
TyJfI28kfyWP3yafJ6/173rULPAuTBFMUbouYWBn7+/w/9mMVVsxfZYAdV+A hDHTg2Jf9CZM/1KQ
VTwpjye/M8803zXvNv//OA85HzovOz88Tz1fPm8/f/9Aj0GfQq9Dv0TPRd9G 70f//0kPSh9LL0w/
TU9OX09vUH//UY9Sn1OvVL9Vz1bfV+9Y//9aD1sfXC9dP15PX19gb2F//2KP Y59kr2W/Zs9n32jv
af+faw9sHyuP9uQtNC11eOH8c0AtPy5PL1/ydoUgrcC/ldGTUDNycB/289OQ bvQA/5tAbT9uT2x/
eO95/3sPfB//fS9+P39PgF+Bb4J/g4+En/+Fr4a/h8+I34nviv+MD40f/44v jz+QT5Ffkm+Tf5SP
lZ//lq+Xv5jPmd+a75v/nQ+eH/+fL6A/oU+iX6NvpH+lj6af/6evqL+pz6rf q++s/64Prx//sC+x
P7JPs1+0b7V/to+3n/+4r7m/us+737zvvf+/D8AfT8Evwj9wD3EVYWoxYGR9 5JBvcj9zT3Rfwt/J
YzXBycEvRk9OVMoZ5U9/5lDbkuaIyxj208sf86Y3FegSUOhuMNtBL0RJ9lbN T9FvZ+XR9vPVz9bf
hDU46CFCT0RZ6G0X6BDYD9qRN+ghSFRNCkzKEH3cwAAeADUQAQAAAEgAAAA8 RUU3ODBFNDU3QkMy
MzM0NEI2MTQzOEZFMzYwOEYxNkU3NzI4MzZATUNMTkVYVlMwNy5yZXNvdXJj ZS5kcy5iYWguY29t
PgAeADkQAQAAADkAAAA8MjAwNTA4MjIxNjE3NTkuODMyODcucW1haWxAd2Vi MzQxMDEubWFpbC5t
dWQueWFob28uY29tPgAAAAAeAEcQAQAAAA8AAABtZXNzYWdlL3JmYzgyMgAA CwDyEAEAAAAfAPMQ
AQAAAFQAAABSAEUAJQAzAEEAIABlAHgAcABvAHIAdAAgAGMAbABpAGUAbgB0 ACAAYwBlAHIAdABp
AGYAaQBjAGEAdABlACAAQwBOACUAMwBGAC4ARQBNAEwAAAALAPYQAAAAAEAA BzALIJyC6qfFAUAA
CDAXAcuT6qfFAQMA3j+vbwAAAwDxPwkEAAAeAPg/AQAAAAwAAABIb2RhIE5h ZGVlbQACAfk/AQAA
AGkAAAAAAAAA3KdAyMBCEBq0uQgAKy/hggEAAAAAAAAAL089Qk9PWiBBTExF TiBIQU1JTFRPTi9P
VT1GSVJTVCBBRE1JTklTVFJBVElWRSBHUk9VUC9DTj1SRUNJUElFTlRTL0NO PTUxNTk1NQAAAAAe
APo/AQAAABUAAABTeXN0ZW0gQWRtaW5pc3RyYXRvcgAAAAACAfs/AQAAAB4A AAAAAAAA3KdAyMBC
EBq0uQgAKy/hggEAAAAAAAAALgAAAAMA/T/kBAAAAwAZQAAAAAADABpAAAAA AAMAHUAAAAAAAwAe
QAAAAAAeADBAAQAAAAcAAAA1MTU5NTUAAB4AMUABAAAABwAAADUxNTk1NQAA HgAyQAEAAAAeAAAA
b3duZXItbW9kc3NsLXVzZXJzQG1vZHNzbC5vcmcAAAAeADNAAQAAABcAAABq dW5nbGlzdDIwMDBA
eWFob28uY29tAAAeADhAAQAAAAcAAAA1MTU5NTUAAB4AOUABAAAAAgAAAC4A AAADAHZA/////wsA
KQAAAAAACwAjAAAAAAADAAYQQHv2PQMABxD4BAAAAwAQEAAAAAADABEQAAAA AB4ACBABAAAAZQAA
AEFERFRIRUZPTExPV0lOR0xJTkVUT1lPVUhUVFBEQ09ORklHVVJBVElPTjpK S0VOVlZBUlNTTENM
SUVOVFNETk5PTkVKS0VOVlZBUlNTTENMSUVOVENFUlROT05FVEhJU1dJTEwA AAAAAgF/AAEAAABI
AAAAPEVFNzgwRTQ1N0JDMjMzNDRCNjE0MzhGRTM2MDhGMTZFNzcyODM2QE1D TE5FWFZTMDcucmVz
b3VyY2UuZHMuYmFoLmNvbT4Amuk=

------_=_NextPart_001_01C5A7EA.93BCB2EF--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org