Alexandre Arantes wrote: > one of them asked me why did I choose not to add the client hostname to the > Client Certificate, thus making it usable only by that specific client. There are no standardized naming rules for client certs like the TLS server hostname check implemented at the client side. You have to define and implement your own naming/mapping rules at the server side. > And so I started searching online for ways to do it, but found nothing. No wonder because there's no standard way. Several possibilites for client cert "names": - subject DN - issuer-DN + serial no. - cert fingerprint - Any naming convention stuffed into subjectAltName extension Some inspiration in various server software: FakeBasicAuth in Apache's mod_ssl: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions Certificate Mappers in OpenDJ: http://docs.forgerock.org/en/opendj/2.6.0/configref/certificate-mapper.html Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4272 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150430/bcaf999e/attachment-0001.bin>
