I just want to double check some things because I implement ssl client auth on my server, to make sure I really understand what I'm doing: First, if I use SSLRequire to check various fields in a client's certificate, is it implied that the certificate has already been verified as signed by one of the CA's I've defined in SSLCACertificateFile, for instance? In other words, this isn't just checking that someone made a certificate with the correct DN values, right? It's also verifying implicitly that it comes from an approved CA? I assume the same is true if I use FakeBasicAuth? Second, I was trying to test the above question by creating self-signed certs, adding them to my browser, and making sure the server would not authenticate them. But when I did, my browser (Firefox) didn't even provide them as an option for me to use. I know this isn't strictly an apache question, but I think this is probably because of the "list of acceptable Certificate Authority names" sent to the browser by my server...does that sound correct? If this is the case, is there a way to get my server to tell the browser than any certificate is fine, but still only actually authenticate those signed by the appropriate CA's? Using: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8g Thanks for any help, -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://pgp.mit.edu/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx