[lug] creating client certs for apache

Hugh Brown hugh at math.byu.edu
Wed Sep 7 17:39:38 MDT 2005 

openssl packages used to contain a CA perl script that you could use
(still does, I just had to look for it).

googling for openssl personal certificate authority CA
turned up http://sial.org/howto/openssl/ca/  which might be good
reading.

On a rh4 and debian sarge box, CA.pl lives in /usr/share/ssl/misc/CA.pl
Try reading through that and its man page for some more ideas.

Hugh

On Wed, 2005-09-07 at 15:26 -0600, D. Stimits wrote:
> I'm now looking at this:
> http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#accesscontrol
> 
> Basically I have the apache server set up to use https only for access 
> to subversion repositories. I have my own self-signed cert, 
> myserver.crt. At that URL it says I can now create client certs signed 
> by my self-signing-CA, followed by naming cert I signed it with as the 
> check for whether access is allowed or not. The apache site does not go 
> into details about the OpenSSL means of doing this, and I have a fear 
> about giving away private keys that should not be public. For fedora 
> core 4, I have:
> /etc/pki/tls/certs/myserver.crt
> 
> First, am I correct to say that despite this not being in a directory 
> labeled "private" that this crt file should be a guarded secret?
> 
> Second, can I create multiple client certs from this server cert which 
> are each unique? What I'm getting at is that I might want to issue a 
> different cert for each person, such that if there is a problem I can 
> revoke only the one cert. Or alternatively, I might want to issue one 
> client cert for a group of people using one subversion repository via 
> https, and a different cert for a different group, and have it 
> automatically know via cert that they have access to some directories 
> but not others. All of which hinges on either making multiple unique 
> client certs from one server cert, or else creating multiple server 
> certs if I can make only one client cert per server cert. Any advice on 
> creating these certs, and keeping the right parts private, especially on 
> fedora/apache 2?
> 
> D. Stimits, stimits AT comcast DOT net
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> 
-- 
Hugh Brown <hugh at math.byu.edu>

More information about the LUG mailing list