Re: Multiple CAs

Tue, 21 Jul 2009 11:10:30 -0700 


Kobus Bensch - No Sig wrote:
> 
> They want a unique ca per client to be able to sign certs for each client
> using their own CA.
> 

Hi Kobus:

CA allow CA chains, this is, only one CA being a true root signing sub-CA
certs.   Having many root CA's create the feeling of disorganization, though
sub-CA certs provide a more organized structure which also provides the
meaning of every Sub-CA (finance-CA, research-CA, accounting-CA,
training-CA, etc).  

The concept of ONE-CA per every-client sounds a disorganized concept,
because the web server (say Apache) allows for a *SSL_Require* directive
(see http://www.nabble.com/forum/ViewPost.jtp?post=24559656&framed=y) which
lets you verify every client individually and not only by name or
organization, but even by acces time or remote addr, I re-copy here the core
part of this approach which you can find in the apache SSL virtual host
template dir:

  #<Location />
        #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
        #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
        #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
        #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
        #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
        #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
        #</Location>

Another directive ( SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt) 
deals with allowed CA's; the CA bundle file is just a list of certs that
your server allows, there is where your TRUE root CA resides, so that's
another reason why you should not have many ROOT certs there, or your
CA-bundle file would grow without limit.  If you wish to know all the
SSL_CLIENT.... possibilities (the span of names), check at the HTTP headers
when connecting to your webserver.   You will see all the client's cert
fields and will notice that the CLIENT_S stands for "subject" while CLIENT_I
stands for "issuer", both of the CLIENT's cert.

Hope this helps.
-- 
View this message in context: 
http://www.nabble.com/Multiple-CAs-tp24590138p24592718.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to