Hi, Thanks for all the help everyone.
> We're signing the certificates for users. They call up the servers and > present a certificate which authorises them. The root certificate is > stored on the servers, and the fingerprint of it is stored in custom > silicon (so no-one can change the entire heirarchy). This is because > some of the systems are not online and hence can't "call home" to > check they have the correct root CA and one concern is physical > subversion of the CA cert stored on the server's hard drive (both the > users and the servers are out of our physical control, in essence). > > The user certificates contain a list of servers they're allowed to > access, along with which IPs they can do it from (so that stealing a > copy of the certificate AND the private key won't let you access a > server illicitly). Could you give me some examples of how this is achieved. I am still unsure of the exact commands/parameters to use, especially when it comes to set up the client(s). Cheers, Mark ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
