Hi Again: Not exactly to associate one CA pero virtual host. This all can be done by only one virtual host, even though you can have all the VH you need. Apache allows you to do many things with just one virtual host.
For example, If you notice the directive SSL_Require, it is inside a LOCATION tag, this means you can send every client or every group of clients associated to one sub-CA (i.e. all clients linked to financial-CA), to one specific location of the server, with a specific database, a specific set of directories, and applications, graphics, etc. Yes, recap: 1.- create your root cert : openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -days 1095 (3 years for example) 2.- create sub-certs *requests* to be signed by previous root: openssl req -new -key subCA_key.pem -out subCA_req.pem 3.- sign every request with root CA openssl x509 -req -in subCA_req.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial -extfile openssl.cnf -extensions usr_cert -out subCA1_cert.pem -days 1095 I skipped key creation, you will need a pair for every cert needed. I also skippd the openssl.cnf details, there are heaps to play around including the attributes of every Cert where you say things like the cert is a CA to sign other certs, or it is for email encryption, browser, etc. It's good to have an openssl.cnf for every cert created, because there you can even include the challenge password and other details you later might find difficult to find elsewhere. You could zip or gzip your bundle of openssl.cnf files and then encrypt the whole unit with your own cert. Ok, that's the standard paranoia procedures sure you can make up better ones. >From there to Apache ssl_virtual host configuration. Hope this clarifies better. Sorry if I went into too stupid/obvious things. Regards. Kobus Bensch - No Sig wrote: > > Hi > I have on CA > That one CA can generate multiple Certs that can then be used per apache > virtual host to allow only that one client to connect to that virtual > host with a specified port number? > End result = better management and an organised cert setup. > Kobus > -- View this message in context: http://www.nabble.com/Multiple-CAs-tp24590138p24593391.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
