On Sat, Oct 04, 2003 at 04:25:57PM -0500, Michael D Schleif wrote: > OK, this section is what I need -- thank you: > > <http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6> > > Correct me if I am wrong; but, this is the process? > > [1] One (1) Certificate per client/browser authenticates *both* the > server to the client, and the client to the server; and The server will need its own certificate with a CN of the server's hostname. > [2] Each client/browser can have *either* a unique client-specific > Certificate, or each client/browser can have a Certificate _common_ to a > group, for purposes of authentication in point [1]. I suspect that you would be better off generating a certificate for each client, but that probably depends on your requirements. > [3] Will we need to become our own Certificate Authority, or would this > work just as well with self-signed Certificates, and without any upline > authority? You will need to be a CA, and the both the server cert and the clients' certs will need to be signed by that CA. In addition, the server config needs to point to the CA's cert so that it can verify the clients' certs. The clients should have the CA's cert installed as well or else each client will complain when they connect because they don't recognize the server's certificate signer. This isn't strictly necessary, as long as your users can be trained to permanently accept the unknown cert the first time they connect. Note that all this could become very onerous if your application isn't targeted at a closed group of users (i.e., it's something on the Internet). -- Dave Carrigan Seattle, WA, USA dave@rudedog.org | http://www.rudedog.org/ | ICQ:161669680 UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL
Attachment:
signature.asc
Description: Digital signature