[Fedora-directory-users] ssl client authentication
Michael Montgomery
mmontgomery at theplanet.com
Thu Nov 17 16:09:45 UTC 2005
Thank you very much for your response. I just have a couple more
questions so I can be sure I know what I'm talking about.
> the directory server (your SSL server) replies with the certificate chain which includes
> the CA certificate, and the self-signed SSL certificate."
I'm assuming the 'self-signed SSL cerificate' is the client's ssl
certificate I imported into the SSL server's store, and NOT the server's
own client certificate?
> you should have the SSL certificate imported into your SSL client's security database,
> and it should be marked as trusted (i.e -t "CT,CT,CT").
Is there any documentation on how to do this with a RHEL4 server? The
only things that come to mind are the openssl dirs '/usr/share/ssl/*',
and possibly installing the certutil package on this machine...(but how
would the ldap.conf file reference this, and even know about it... I'm
curious about integration)
>Another way to do this is to sign your SSL server certificate with your self-signed CA
> certificate, and import your CA certificate into your SSL client's security database.
I'm assuming you're talking about this option to Sign/Validate a
self-signed cert:
-V Validate a certificate
-n cert-name The nickname of the cert to Validate
-b time validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]")
-e Check certificate signature
-u certusage Specify certificate usage:
C SSL Client
V SSL Server
S Email signer
R Email Recipient
-d certdir Cert database directory (default is ~/.netscape)
-P dbprefix Cert & Key database prefix
-X force the database to open R/W
But then there's still the above question of how to import it into
clients...
Once again, thank you very much for your answers up to this point, as
they were quite helpful.
Michael.
More information about the Fedora-directory-users
mailing list