How to generate a client certificate using CA-NOT CA

Question

How to generate a client certificate using CA-NOT CA

I am trying to export a client certificate for use with a web browser.

The goal is to restrict access using the <Location> directive in the admin area. I have seen many tutorials on using self-signed CAs. How do you do this with a third party?

1) Do I need to include CA in client pfx if it is a trusted root certification authority? I have seen both examples.

Without CA:

openssl pkcs12 -export -inkey KEYFILENAME -in CERTFILEFILENAME -out XXX.pfx

With CA:

openssl pkcs12 -export  -in my.crt- inkey my.key -certfile my.bundle -out my.pfx

2) Do I still need to enable the SSLCACertificateFile for the trusted CA in the httpd.conf configuration?

SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt
<Location /secure/area>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>

http://www.modssl.org/docs/2.8/ssl_howto.html#ToC8

+3

apache openssl ssl-certificate httpd.conf

Bryan Jun 2 '09 at 15:37

source share

1 answer

rihards · Answer 1 · 2009-10-24T09:23:49+0000

, . SSLCACertificateFile

:

    SSLCertificateFile /etc/apache2/ssl/apache.cer # site certificate signed by verisign
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key # site key for certificate signed by verisign
    SSLCACertificateFile /etc/apache2/ssl/apachelca2.pem # your self signed CA

, apachelca2.pem , ... :

openssl req -config /usr/share/apache2/ssleay.cnf -new -key client.key -out client.csr

openssl x509 -req -days 365 -CA /etc/apache2/ssl/apachelca2.pem -CAkey /etc/apache2/ssl/apachelca2.pem -CAcreateserial -in client.csr -extfile /usr/share/apache2/ssleay.cnf -extensions v3_req -out client.crt

How to generate a client certificate using CA-NOT CA

More articles: