OpenSSL hashes the subject name. 
   " This is used in OpenSSL to form an index to allow certificates in a 
directory to be looked up by subject name. "
but that seems weak.

http://www.openssl.org/docs/apps/x509.html#http://www.openssl.org/docs/apps/verify.html#




-----Original Message-----
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Monday, November 09, 2009 2:06 PM
To: Tomcat Users List
Subject: Identifying Clients via SSL Certificates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

I've been playing around with client SSL certificates, not for authentication 
per se, but as a gateway to a relaxed authentication mechanism for one of our 
webapps.

I have a client SSL cert working (see my previous thread "mod_jk & Client SSL 
Certificates") and successfully verifying the signature of the client cert by 
the server.

I'd like to be able to uniquely identify the client certificate being used to 
authenticate via SSL, but I'm a newbie at this sort of thing and I'd appreciate 
some suggestions as to how to do that. A few ideas I've had are:

1. Use a directory-style 'CN' attribute like "UID=myuniqueid"

2. Use the fingerprint of the client certificate

3. Use the full text of the client certificate

All 3 of the above can be used to then link to appropriate records in the 
database for limited authentication.

Does anyone have any suggestions or preferred techniques?

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkr4aBwACgkQ9CaO5/Lv0PDIFgCfb69oibXH3GAwQ1R4z40eux+w
lQcAoL5rFQHQX2rSWjh1LVoptUHXCQLt
=gPOY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to