Re: Multiple CAs

[Kobus Bensch]

Title: Fullnet Solutions Limited

Hi Thank you for this, this is great. So to recap. I have on CA That one CA can generate multiple Certs that can then be used per apache virtual host to allow only that one client to connect to that virtual host with a specified port number? End result = better management and an organised cert setup. Thanks Kobus javierm wrote: Kobus Bensch - No Sig wrote: They want a unique ca per client to be able to sign certs for each client using their own CA. Hi Kobus: CA allow CA chains, this is, only one CA being a true root signing sub-CA certs. Having many root CA's create the feeling of disorganization, though sub-CA certs provide a more organized structure which also provides the meaning of every Sub-CA (finance-CA, research-CA, accounting-CA, training-CA, etc). The concept of ONE-CA per every-client sounds a disorganized concept, because the web server (say Apache) allows for a *SSL_Require* directive (see http://www.nabble.com/forum/ViewPost.jtp?post=24559656&framed=y) which lets you verify every client individually and not only by name or organization, but even by acces time or remote addr, I re-copy here the core part of this approach which you can find in the apache SSL virtual host template dir: #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> Another directive ( SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt) deals with allowed CA's; the CA bundle file is just a list of certs that your server allows, there is where your TRUE root CA resides, so that's another reason why you should not have many ROOT certs there, or your CA-bundle file would grow without limit. If you wish to know all the SSL_CLIENT.... possibilities (the span of names), check at the HTTP headers when connecting to your webserver. You will see all the client's cert fields and will notice that the CLIENT_S stands for "subject" while CLIENT_I stands for "issuer", both of the CLIENT's cert. Hope this helps. --     35 St. Lukes Road Maidenhead Berkshire SL6 7DN United Kingdom Telephone: +44 (01628) 675 978 Facsimile: +44 (07092) 289 990 Mobile Phone: +44 (07703) 503 733 Skype ID: fullnetsolutionsltd Kobus Bensch: kben...@fullnet.co.uk Information: i...@fullnet.co.uk> Sales Team: fslsa...@fullnet.co.uk WWW: http://www.fullnet.co.uk Registered in England & Wales, Company Number 3568937 VAT registration number: UK 714 7309 42 E & O.E. All prices exclude VAT & Carriage unless otherwise specified. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system administrator by emailing ad...@fullnet.co.uk with the subject "eMail Confidentiality Query!". The content of this email does not necessarily reflect the views or opinions of Fullnet Solutions Limited. If you have any queries or complaints please email i...@fullnet.co.uk with the subject "eMail Comment/Complaint Query!". This footnote also confirms that this email message has been scanned for the presence of computer viruses. Fullnet Solutions Limited can however not be held responsible for any virus infections on the recipients or any other systems. For more information regarding the solutions Fullnet has to offer please email sa...@fullnet.co.uk with the subject "Sales Query!".

signature.asc
Description: OpenPGP digital signature