[Fedora-directory-users] Re: Re: ssl client authentication

[Michael Montgomery]

Does anyone possibly have an answer to these questions?  I'm quite
stumped at the moment, and would love to try and get this fully working.

Thanks again.

> Date: Thu, 17 Nov 2005 10:09:45 -0600
> From: Michael Montgomery <mmontgomery at theplanet.com>
> Subject: Re: Re: [Fedora-directory-users] ssl client authentication
> To: fedora-directory-users at redhat.com
> Message-ID: <1132243785.24437.11.camel at work>
> Content-Type: text/plain
> 
> Thank you very much for your response.  I just have a couple more
> questions so I can be sure I know what I'm talking about.
> 
> > the directory server (your SSL server) replies with the certificate chain which includes 
> > the CA certificate, and the self-signed SSL certificate."
> 
> I'm assuming the 'self-signed SSL cerificate' is the client's ssl
> certificate I imported into the SSL server's store, and NOT the server's
> own client certificate?
> 
> > you should have the SSL certificate imported into your SSL client's security database, 
> > and it should be marked as trusted (i.e -t "CT,CT,CT"). 
> 
> Is there any documentation on how to do this with a RHEL4 server?  The
> only things that come to mind are the openssl dirs '/usr/share/ssl/*',
> and possibly installing the certutil package on this machine...(but how
> would the ldap.conf file reference this, and even know about it... I'm
> curious about integration)
> 
> >Another way to do this is to sign your SSL server certificate with your self-signed CA 
> > certificate, and import your CA certificate into your SSL client's security database. 
> 
> I'm assuming you're talking about this option to Sign/Validate a
> self-signed cert:
> 
> -V              Validate a certificate
>    -n cert-name      The nickname of the cert to Validate
>    -b time           validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]")
>    -e                Check certificate signature
>    -u certusage      Specify certificate usage:
>                           C      SSL Client
>                           V      SSL Server
>                           S      Email signer
>                           R      Email Recipient
>    -d certdir        Cert database directory (default is ~/.netscape)
>    -P dbprefix       Cert & Key database prefix
>    -X                force the database to open R/W
> 
> But then there's still the above question of how to import it into
> clients...
> 
> Once again, thank you very much for your answers up to this point, as
> they were quite helpful.
> 
> Michael.