if you want to lock it down to exactly ONE client certificate, here's one way to do it
if you need to screen on more than one cert, perhaps you can use SSL_CLIENT_S_DN_O (i think) instead of SSL_CLIENT_S_DN_CN
<Location /SomeVirtualDir>
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 3
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "the.client.cert.distinguished.name" \
and %{SSL_CLIENT_I_DN_O} eq "VeriSign Trust Network"
</Location>
-----Original Message-----
From: Matthew McHugh [mailto:mmchugh@xxxxxxxxx]
Sent: Tuesday, May 31, 2005 10:40 AM
To: users@xxxxxxxxxxxxxxxx
Subject: [users@httpd] Question about how to do certificate based authentication with Apache 2.0.50 ....
Hello All,
I am using Apache 2.0.50 on a Sun solaris webserver. I am trying to limit (for one virtual host) access to the site. I want to limit the access to one company that passes me their certificate. Is there a way to do this with apache 2.0.50? I see that something can be done with client authentication, but that requires me to create my own CA and hand out certificates, then allow all certs signed by that CA to have access to the environment. My client will be using a Verisign signed certificate and I do not wish to allow all clients with a Verisign signed certificate to access my protected environment.
Is there a way to lock it down to only one certificate or do I need to allow access to all clients passing certificates that are signed from a specific CA?
Any help would be much appreciated.
Thanks,
Matt
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|