Re: What verification does Apache do as part of SSLVerifyClient?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Sep 09, 2012 at 08:36:30AM -0500, Tom Browder wrote:
> So the client cert. does contain the private key?   Then its password
> is all that is protecting it?

No, the key is normally (but not always) kept separately.

> Mark, in your experience, what is the best way to distribute client
> certificates?

1. End user creates private key and CSR.

2. End user sends CSR to the CA (you).

3. The CA (you) examines the CSR and if the CA (you) thinks it is all
correct and the client is who they say they are, etc., creates a signed
certificate from the CSR and sends it back to the user.

By doing this no private key goes over the network and the CA never
knows the end user's passphrase.

HTH,

Pete
-- 
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107

Attachment: pgp6gcvZfkPL3.pgp
Description: PGP signature


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux