stortoaranci wrote: > Hi All, > > I just have a silly question on Openssl. > > I use a self-signed CA to sign several server/clients cert. > > For example I could use signed certs to implement an OpenVPN LAN and one > Wi-FI RADIUS auth for different clients. > > The question is: "how to be sure that a client allowed to use the wifi do > not use the same cert on the OpenVPN LAN"? > > In other words, how could I segratate clients using the same CA? > You don't (with a couple of caveats) -
Certificates are for proving Identity (who you are, authentication) - other systems have to be used to say what you are allowed to do (attributes, authorisation). The caveat that I mentioned above is that it is possible to use keyUsage and extendedKeyUsage to specify that certain keys are allowed to do certain functions. This is mostly used to distinguish between certificates/keys to be used for Encryption vs. Signature/Identity, which certificates are used for client vs. server side identity, etc. So, what you may want to do is to have your Wifi and VPN system query an attribute database (or other source of authorisation), and find out from there whether a particular user who is represented by a certificate is allowed to use a particular service. Have fun. Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
