OpenSSL hashes the subject name. " This is used in OpenSSL to form an index to allow certificates in a directory to be looked up by subject name. " but that seems weak.
http://www.openssl.org/docs/apps/x509.html#http://www.openssl.org/docs/apps/verify.html# -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, November 09, 2009 2:06 PM To: Tomcat Users List Subject: Identifying Clients via SSL Certificates -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, I've been playing around with client SSL certificates, not for authentication per se, but as a gateway to a relaxed authentication mechanism for one of our webapps. I have a client SSL cert working (see my previous thread "mod_jk & Client SSL Certificates") and successfully verifying the signature of the client cert by the server. I'd like to be able to uniquely identify the client certificate being used to authenticate via SSL, but I'm a newbie at this sort of thing and I'd appreciate some suggestions as to how to do that. A few ideas I've had are: 1. Use a directory-style 'CN' attribute like "UID=myuniqueid" 2. Use the fingerprint of the client certificate 3. Use the full text of the client certificate All 3 of the above can be used to then link to appropriate records in the database for limited authentication. Does anyone have any suggestions or preferred techniques? Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr4aBwACgkQ9CaO5/Lv0PDIFgCfb69oibXH3GAwQ1R4z40eux+w lQcAoL5rFQHQX2rSWjh1LVoptUHXCQLt =gPOY -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
