On Wed, Dec 3, 2014 at 1:43 PM, M. K. <bittehier at nurfuerspam.de> wrote: >> If you use >> auth = "certificate" >> and ca-cert has the authority that signs certificates, what you >> describe will work. >> However, I am confused from your description. Are >> ca-sub1-chain-cert.pem and sub.class1.server.ca.pem the same thing? >> Why did you use different names? > > I don?t know exactly but StartSSL use an intermediate CA certificate to provide certificates for different level of identification. Normally I have to provide all certificates from the chain from server to ca with the sub level of class1 or class2 certificate. But I could test it with only the class1 thing - but what?s with the clients which got a class2 certificate? > > And the important question: The client certificate are directly from StartSSL and I don?t own a CA or sub CA - how could I restrict logins to only my users? Should I have to install the client certificate to the server or what should I do? If you don't trust all StartSSL users to connect to your server then you shouldn't put that CA in ca-cert. In that option you should set the CA that signed the certificates of the users you want to connect. That is, you must create your own CA and provide your users with certificates signed by it (e.g., in the form of tokens or files). If you already have the StartSSL certificates of your users, you could re-use the keys from there, and only send them the new certificate. That way, in addition to controlling the allowed users, you also control revocation of users. regards, Nikos