I have a situation where my trusted root has two different kinds of intermediate CAs (identity and email, say) that issue identity and email signing certificates, respectively. I would like to only allow users to authenticate to my Apache web servers with the identity certificate.
The certificateRequest message, I thought, allows me to control not just what type (RSA-sign, Key exch, et al) of certificates are submitted but also what intermediate CAs are acceptable. I have gotten this to work in the past and now it has mysteriously stopped working. Using Apache V2.0.5 and OpenSSL 0.9.7d. Without this discrimination at the server users who have both identity and email certs get prompted to pick from the two since they both are RSA-sign certs issued by the same trusted root CA. Both the TLS1 RFC2246 and SSLv3 Draft seem to say this is controllable. What have you out there found/implemented? What conditions and/or versions would allow me to indicate to the user browser that only the identity CA is acceptable? Excerpt from my httpd.conf SSLEngine on SSLSessionCacheTimeout 3600 SSLCACertificatePath /admin/users/fin23117/apache2/conf/CAcerts/ SSLCertificateFile /admin/users/fin23117/apache2/conf/engsslcert.pem SSLCertificateKeyFile /admin/users/fin23117/apache2/conf/engsslkey.pem SSLProtocol All -SSLv2 SSLCipherSuite RSA:!NULL:!EXP:+HIGH:+MEDIUM:-LOW SSLOptions +StdEnvVars +ExportCertData SSLVerifyClient require SSLVerifyDepth 2 SSLOptions +FakeBasicAuth +StdEnvVars +ExportCertData Contents of CAcerts directory <hash.0> symbolic links to pem encoded identity CA certificates <hash.0> symbolic link to pem encoded root CA certificate I have debug level logging on and I can see where my SSLCACertificatePath certs are loaded into the config successfully. My users don't know the difference between certificates (let alone what a certificate is) and I don't have time to explain to the thousands of them which one to pick. Conversely, if I can guarantee that only the identity cert is authenticated to my site I will only need to support (the smaller) half of the CRLs I would need to otherwise. Thanks for all who offer any insight. regards, tt [EMAIL PROTECTED] [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
