mihaeli@VNET.IBM.COM wrote:
>
> Dear friends,
>
> Please tell me what I am missing with the setup of Apache-SSL (Apache 1.3.1
> SSLeay 0.9.0b, and patch 131-1.20). I made test certificate with "make
> certificate" and set it as server certificate in the httpd.conf.
> With VerifyClient set to 0 I can connect to the Web server with Netscape
> irrespective of whether I have client certificate or not. However with
> VerifyClient set to 1,2,or 3 I cannot connect at all if I have certificate
> (from Thowte), and if I dont have - then 1, and 3 work out and get refusal
> on option 2 as expected. Sometimes there appear the following messages
To do client cert stuff, you need to do the following:
1. Set up a CA certificate. Let's call it 'MyCA.cert', and it's key is
'MyCA.key'.
2. Set up a secure server, with it's own cert/key pair. These must be
different from the above. 'MyServer.cert' and 'MyServer.key'
3. Sign/create the client cert with the CA key, NOT the server key.
Then your server would have (at least) the following directives:
SSLCertificateFile MyServer.cert
SSLCertificateKeyFile MyServer.key
SSLCACertificateFile MyCA.cert
SSLVerifyClient 2
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers