Michael and Jonathan, Thank you for your comments. I understand that server sends a list of accessible CAs.
Here is the case I don't completely understand how it works. e.g. I have 2 VeriSign Client Certs, but only 1 VeriSign cert should be valid at the protected site. Although, they are issued from the same CA, the information inside of them is a little different. The server obviously has dn of VeriSign which acceptable CA, so both certs are valid (in terms of they are issued by an valid CA), but only one cert should be VALID to enter that specific site. In your response, you said, choice must be made, arbitratry choice? Who determinites that VeriSign Cert #1 even though is issued by the valid CA, is not valid to enter this site, while VeriSign Cert #2 is a valid one. Thank you in advance. Leon -----Original Message----- From: Michael Sierchio [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 9:12 PM To: [EMAIL PROTECTED] Subject: Re: certs "ZILBER,LEONID (HP-NewJersey,ex1)" wrote: > When a person browses to cert protected website a windows pops up asking to > choose which certificate you would like to present, in case the person has > several certs installed. > > Q1. When I choose a cert, how does a server determines if it is the right > cert or not? Part of the SSL handshake (in the case of the server requiring client auth) involves the server sending a list of DNs of acceptable CAs. The client presents a cert signed by (or a cert chain terminating in a cert signed by) one of those CAs. If the client has more than one user cert signed by one of the acceptable CAs, a choice must be made. > Q2. Is there a way to configure a server, so when a user gets to a cert > protected site, server can find the correct certs automatically in the user > repository, without prompting a user to choose the correct cert? The server doesn't find anything in the user repository -- it's up to the client. You can edit, presumably, the list of CAs trusted by the server to include only certs issued by your own CA, for example. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
