'Re: Correct use of SSLVerifyClient and Sub-Ordinate CAs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-modssl
Subject:    Re: Correct use of SSLVerifyClient and Sub-Ordinate CAs
From:       Joe Orton <jorton () redhat ! com>
Date:       2007-12-14 11:10:03
Message-ID: 20071214111003.GA13676 () redhat ! com
[Download RAW message or body]

On Mon, Nov 19, 2007 at 09:24:09AM +0000, Anony Mouse wrote:
> I've found myself in the same quandary as this guy [1]. My CA
> structure is as follows.
> 
> - RootCA
>  - SubCA1
>    - SubCA1 Server
>    - SubCA1 Clients
>  - SubCA2
>    - SubCA2 Server
>    - SubCA2 Clients
> 
> I have two HTTPS vhost containers. One which has a server certificate
> issued by SubCA1 and should only accept client certificates from
> SubCA1. Likewise, another for SubCA2, which should only accept client
> certificates from SubCA2.

I think this should work by using:

   SSLCertificateChainFile rootca
   <Vhost for SubCA1>
        SSLCACertificateFile SubCA1
   </Vhost>
   <Vhost for SubCA2>
        SSLCACertificateFile SubCA2
   </Vhost>

joe
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            majordomo@modssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic