|
Author: Christopher Masto
Date: 04-10-01 22:26
You seem to be exporting your SERVER certificate and importing it into your web browser. That's rather strange and confusing. You should probably be creating a separate client certificate (indeed, a separate one for each client).
An important detail that seems to be missing in this article is what to enter when creating the certificate requests (CA.pl -newreq). For a server, it's critical that the "Common Name" be the name of your site (www.freebsddiary.org, for example). Client certificates should use the name of the person the certificate will be identifying.
|
|
Reply To This Message
|
|
Author: Patrick Sandberg
Date: 07-10-01 15:55
I totally agree with your comment to the Client Certificate report on The FreeBSD Diary, he does provide the server certificate to the client, that is ok if you only want to prove "This is really server xxx.com, says this yyy CA, trust me", but if you want to check out the client from a server perspective, how do you do it?
When I enable verify client certificates I never get IE 5.5SP2 to provide any certificate, my guess is that I have not create the client certificate in such a way to associate it with my specific website (so that IE knows what certificate to show at what server) ? But I'm not sure, any good pointers on how to create client certificates (step by step) and how to get them to work with your server?
Thanks,
Patrick
|
|
Reply To This Message
|
|
Author: Gabor Komlossy
Date: 18-02-02 16:03
I agree, this is not enough for client authorization. I will try today the following:
1. Start this howto and create a CA, a Server Certificate and configure Apache, but NOT convert the certificate to pkcs12 format.
2. Then I will create another "Server Certificate", which I will call Client Certificate, and use the client name in the CN field.
3. I will convert the second ceritificate, Client Certificate to pkcs12 format, put it on a floppy and give it to a client
4. The client will install the pkcs12 file in his browser
If this does not work, I will post a message here, so if there's no other messages here from me, the above procedure worked...
|
|
Reply To This Message
|
|