Hi Stephen, Do you have an idea of how can I implement this using Xenroll? Is there any documentation on the internet?
Thanks in advance, Fabiano -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Tuesday, May 11, 2004 8:41 PM To: [EMAIL PROTECTED] Subject: Re: HTTPS with customized pfx files. On Mon, May 10, 2004, Fabiano Reis wrote: Content-Description: Mail message body > Hi, > > > > I have an Apache webserver running with ssl enabled. I configured it to use: > “SSLVerifyClient required “ option, so my customers can reach me only if > they have the pfx file that I generate using openssl command. > > The whole process completes when I send the pfx file to my customer and he > installs it on his computer, in that way he gains access to my webserver. > But I see one problem with this: If my client send the pfx file to another > guy I will be in trouble because I cannot control what they will do with > the pfx files. > > I think the fix for that is something like creating certificates to my > customers with expire time or by using some SSL mechanism to control the use > of a PFX file by client, in a way that if the certificate is used for the > first time in a machine, it cannot be used on a second one. (I really don’t > have any experience with SSL, so that is why i´m talking about these ugly > examples) > > My concert is just about on how to control my clients using SSL. I expect > you understand my doubt and if you appoint me any website or any ideas of > what can I use to implement this I will really appreciate that. > You could also get problems if the PFX file gets intercepted somehow along with the password. If you are using MSIE then one solution is not to use PFX files at all but to use Xenroll to create a private key on the client machine and install the certificate there. There is an option to make the key unexportable which means it cannot be easily moved off the machine. There *are* ways to move the key but they aren't well known and require some degree of expertise. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
