Hi,

Basically...

SSLCACertificateFile SelfSignedCA Root Cert (public part)
SSLVerifyClient require or optional
SSLVerifyDepth 1 (default)

and have the setup from the Thwate cert as per normal for the servercert.

Regards
Matt

----- Original Message ----
From: Jan Stian Gabrielli
To: modssl-users@modssl.org
Sent: Tuesday, September 23, 2008 1:39:16 PM
Subject: Re: Can i use CA signed cert to create client authentication certificates ?

Ok. This seems like a viable solution.
Ie.
I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates.

Can you point me in a direction of how i make this work in apache ?.
I already have a setup with a Selfsigned CA working for client certificates.

Createed SelfSignedCA
|-->Create and Sign Apache Cert from SelfSigned CA
|-->Create and Sign Client Cert from SelfSigned CA

How do I incorporate this with a CA (thawte) signed webserver certificate ?.

Best regards

Wizkidnono

Original Message -----------------------
Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it.

You could use your CA for client certs andThawte for the server cert.

Regards
Matt



----- Original Message ----
From: Jan Stian Gabrielli
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject:Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a "third"
party where one does not have access to their root ca key ?..

Ie.

I have generated a : apache_server.key made a apache_server..csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use a 3rd party CA and only have apache_server.key,
apache_server.crt , thawte root cert.

Best regards

Wizkidnono
–œ…â'µêßiÇÂ* ê^�$‹š‡l²\0Âj²à h®,z´®¦š+´Ã*¢–)à .+-š‡l²[¬z»&¡Û,–Šà ëh™«^t¸¬´Ã*§j«℠¨èÂ*Ú&¢j²Éh®



__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
–œ…â'µêßiÇ* ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢– )*.+-š‡l²[¬z»&¡Û,–**ëh™«^t¸¬´Æ§j«™¨è*Ú&¢j²Éh®



__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org