[lug] creating client certs for apache

D. Stimits stimits at comcast.net
Wed Sep 7 15:26:59 MDT 2005

I'm now looking at this:

Basically I have the apache server set up to use https only for access 
to subversion repositories. I have my own self-signed cert, 
myserver.crt. At that URL it says I can now create client certs signed 
by my self-signing-CA, followed by naming cert I signed it with as the 
check for whether access is allowed or not. The apache site does not go 
into details about the OpenSSL means of doing this, and I have a fear 
about giving away private keys that should not be public. For fedora 
core 4, I have:

First, am I correct to say that despite this not being in a directory 
labeled "private" that this crt file should be a guarded secret?

Second, can I create multiple client certs from this server cert which 
are each unique? What I'm getting at is that I might want to issue a 
different cert for each person, such that if there is a problem I can 
revoke only the one cert. Or alternatively, I might want to issue one 
client cert for a group of people using one subversion repository via 
https, and a different cert for a different group, and have it 
automatically know via cert that they have access to some directories 
but not others. All of which hinges on either making multiple unique 
client certs from one server cert, or else creating multiple server 
certs if I can make only one client cert per server cert. Any advice on 
creating these certs, and keeping the right parts private, especially on 
fedora/apache 2?

D. Stimits, stimits AT comcast DOT net

More information about the LUG mailing list