Hi all, I made the classic newbie mistake of asking how to solve a particular pointed implementation detail without explaining the overall problem that I'm trying to solve.
Suppose one wants to secure a server application which accepts incoming HTTPS connections from anywhere. We'll call this Server A. This server application is intended to only accept connections from other satellite server applications (say Server 1, 2, 3, etc.). The end users' LAN-only application connects to these satellite servers, and then the satellite servers pass on application data to Server A. Essentially the end users' application does its job through the satellite server (Servers 1, 2, 3, etc.) -> Server A HTTPS tunnel. My thoughts were in this scenario, the best way to implement (HTTPS) SSL/TLS would be for Server A (with a server certificate) to only accept HTTPS connections from Servers 1, 2, 3, etc. who have valid client certificates, rather than hardcoding some kind of username/password into Servers 1, 2, 3, etc. to connect to Server A who accepts anonymous TLS connections from anywhere. Thoughts? Then the implementation involves distributing certificates / private keys to Servers 1, 2, 3, etc. and ensuring Server A's HTTPS server only establishes TLS sessions for clients with valid client certificates, not just anyone ala hotmail. Thanks to Mr. Duchovni it appears the term I'm searching for these password-encrypted client certificates / private keys bundles is pkcs12. This pkcs12 distribution would be done offline to Servers 1, 2, 3, etc. Now I believe Victor mentioned these pkcs12 bundles should not be used in place of a username / password for Servers 1, 2, 3, etc. to connect to Server A. If so, what else needs to be done? Should Server A also require a username and password for Servers 1, 2, 3, etc. as well as a valid client certificate? Or should a username map to a pkcs12 bundle? thanks Chris ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
