On Wed, Sep 5, 2012 at 4:32 PM, Mark Montague <mark@xxxxxxxxxxx> wrote: ... > As you can see, the CN is not a hostname and does not get validated by > httpd. You need to rely on the certificate authorities you trust in order to > not sign certificates for "improper" CNs -- for example, the CN of a host > that does not belong to the requester. And you need to trust the holder of > the cert to keep their private key secure. If you cannot do these two > things, you should not trust the CA in question, or you should not accept > certificates at all. So the client cert. does contain the private key? Then its password is all that is protecting it? Mark, in your experience, what is the best way to distribute client certificates? I am developing client certificates that I will distribute to my users, and up to now I planned to distribute them via email and passwords via US mail. Thanks. Best regards, -Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|