How to accept only certain client certificates

How to accept only certain client certificates

am 25.07.2007 16:42:15 von merlin

Dear all,

I have a working SSL configuration, with client certificate authentication.
The SSLCACertificateFile directive is set so I accept every client who
has a certificate from that CA.

The problem is that since I'm running a web service, not webpages,
I want allow the access for a few clients only.
One way to achieve this to create my own CA and Issue client certificates,=
=20
which I'm doing now.
But my clients have their own certificates issued by eg. Verisign.
Is there a way to allow theese certs while denying the other from the same =
CA?
Can I just somehow directly enumerate the certificates I want to allow,=20
similar to the java truststore concept?

Thank you in advance
Mih=E1ly H=E9der
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: How to accept only certain client certificates

am 25.07.2007 16:51:04 von rich.fought

-----Original Message-----
>From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] >On Behalf Of merlin@sztaki.hu
>Sent: Wednesday, July 25, 2007 9:42 AM
>To: modssl-users@modssl.org
>Subject: How to accept only certain client certificates

>Dear all,

>I have a working SSL configuration, with client certificate
authentication.
>The SSLCACertificateFile directive is set so I accept every client who
>has a certificate from that CA.

>The problem is that since I'm running a web service, not webpages,
>I want allow the access for a few clients only.
>One way to achieve this to create my own CA and Issue client
certificates,=20
>which I'm doing now.
>But my clients have their own certificates issued by eg. Verisign.
>Is there a way to allow theese certs while denying the other from the
same >CA?
>Can I just somehow directly enumerate the certificates I want to allow,

>similar to the java truststore concept?

Perhaps you can use SSLRequire to use certificate parameters for
conditional access. You should be able to enumerate the desired client
distinguished names.

Rich
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org