On 7/19/2012 10:11 AM, Tom Browder wrote: > I have a single server with a multiple vhost SSL certificate from a > recognized CA. All vhosts are using SSL/TLS successfully and > exclusively with HSTS enforcement. > > I would now like to add SSL client certificates for individual vhost > private directory access and plan to do so using a self-generated, > self-signed CA certificate (self-CA) set up, with one certificate per > authorized user and vhost. My question for my set up is this: > > Does the client browser have to import anything other than its > assigned SSL client certificate? > > One source I've found says I will also have to have my self-CA > certificate available for import by each client browser but another > source says no (I can provide the sources later when I get access to > my own computer). The Apache 2.4 docs, as I interpret them, imply > that they are two separate things and only the single client > certificate will have to be imported since the session SSL connection > is created through the widely-recognized CA certificate. > > (I apologize for any unclear terminology--I am still trying to sort it all out.) > > Thanks. Since your servers are signed by a known CA, the browsers will only need to have a private key/certificate imported to function. In your httpd vhost, you will place your self-signed CA certificate (the one that signs the client certs) in the file pointed to by SSLCACertificateFile. -- Daniel Ruggeri --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx