[Fedora-directory-users] Re: Re: ssl client authentication
Michael Montgomery
mmontgomery at theplanet.com
Mon Nov 28 16:32:39 UTC 2005
Does anyone possibly have an answer to these questions? I'm quite
stumped at the moment, and would love to try and get this fully working.
Thanks again.
> Date: Thu, 17 Nov 2005 10:09:45 -0600
> From: Michael Montgomery <mmontgomery at theplanet.com>
> Subject: Re: Re: [Fedora-directory-users] ssl client authentication
> To: fedora-directory-users at redhat.com
> Message-ID: <1132243785.24437.11.camel at work>
> Content-Type: text/plain
>
> Thank you very much for your response. I just have a couple more
> questions so I can be sure I know what I'm talking about.
>
> > the directory server (your SSL server) replies with the certificate chain which includes
> > the CA certificate, and the self-signed SSL certificate."
>
> I'm assuming the 'self-signed SSL cerificate' is the client's ssl
> certificate I imported into the SSL server's store, and NOT the server's
> own client certificate?
>
> > you should have the SSL certificate imported into your SSL client's security database,
> > and it should be marked as trusted (i.e -t "CT,CT,CT").
>
> Is there any documentation on how to do this with a RHEL4 server? The
> only things that come to mind are the openssl dirs '/usr/share/ssl/*',
> and possibly installing the certutil package on this machine...(but how
> would the ldap.conf file reference this, and even know about it... I'm
> curious about integration)
>
> >Another way to do this is to sign your SSL server certificate with your self-signed CA
> > certificate, and import your CA certificate into your SSL client's security database.
>
> I'm assuming you're talking about this option to Sign/Validate a
> self-signed cert:
>
> -V Validate a certificate
> -n cert-name The nickname of the cert to Validate
> -b time validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]")
> -e Check certificate signature
> -u certusage Specify certificate usage:
> C SSL Client
> V SSL Server
> S Email signer
> R Email Recipient
> -d certdir Cert database directory (default is ~/.netscape)
> -P dbprefix Cert & Key database prefix
> -X force the database to open R/W
>
> But then there's still the above question of how to import it into
> clients...
>
> Once again, thank you very much for your answers up to this point, as
> they were quite helpful.
>
> Michael.
More information about the Fedora-directory-users
mailing list