[lug] creating client certs for apache
D. Stimits
stimits at comcast.net
Wed Sep 7 15:26:59 MDT 2005
I'm now looking at this:
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#accesscontrol
Basically I have the apache server set up to use https only for access
to subversion repositories. I have my own self-signed cert,
myserver.crt. At that URL it says I can now create client certs signed
by my self-signing-CA, followed by naming cert I signed it with as the
check for whether access is allowed or not. The apache site does not go
into details about the OpenSSL means of doing this, and I have a fear
about giving away private keys that should not be public. For fedora
core 4, I have:
/etc/pki/tls/certs/myserver.crt
First, am I correct to say that despite this not being in a directory
labeled "private" that this crt file should be a guarded secret?
Second, can I create multiple client certs from this server cert which
are each unique? What I'm getting at is that I might want to issue a
different cert for each person, such that if there is a problem I can
revoke only the one cert. Or alternatively, I might want to issue one
client cert for a group of people using one subversion repository via
https, and a different cert for a different group, and have it
automatically know via cert that they have access to some directories
but not others. All of which hinges on either making multiple unique
client certs from one server cert, or else creating multiple server
certs if I can make only one client cert per server cert. Any advice on
creating these certs, and keeping the right parts private, especially on
fedora/apache 2?
D. Stimits, stimits AT comcast DOT net
More information about the LUG
mailing list