[lug] creating client certs for apache

D. Stimits stimits at comcast.net
Thu Sep 8 10:10:32 MDT 2005

> using your CA cert you can create end-entity (users/machines/groups)
This is what I want to do. I want to do this in PKCS12 format and 
distribute it to the outside world to specific individuals I trust.

> certs with unique identifying info in the DN (Country, State,
> Locality(city), Organization, Organizational Unit,
> Common Name (e.g. person name, host name, group name),
> and some other parts.

Yes, I was basically hoping to create a public key I could hand out that 
identifies the person as belonging to a given svn project (and thus 
given web directory).

>   4) Client UA sends its cert to the server when requested
>      during the SSL handshake. The client has access
>      to the private key for its cert so it can encrypt data.

Here's where I start running into trouble. Configuring the apache server 
itself does not seem to be a problem, it has some nice comments in the 
ssl config file of mod_ssl. The problem I'm running into is figuring out 
creation of unique public keys to hand out to individuals or groups of 
individuals. The above item #4 leads me to believe I have been looking 
at this from the wrong angle. You say "client has access to the private 
key"...I've been thinking in terms of using the server private key to 
generate multiple unique public keys that I send to people to install in 
their browser; instead the access to private key makes me believe each 
user needs to create a self-signed key pair of their own, and then send 
*their* public key to me to install on the server.

My initial thought: Create one unique public key for a group of people 
to access a project via the server's keys, and send that key to 
outsiders to put in their clients. Then I have to install permissions to 
access a project based on that key which I just sent out (which was 
generated based on a server key). To do the reverse would mean I have to 
get everyone involved to generate their own key pairs, and then get a 
copy of each public key to tell my server to allow that key. This 
probably means a lot of effort to get outside participants to all create 
and secure keys; instead I was hoping to do the key generation from my 
end so all the other people would have to do is import the key to their 
browser. Maybe this is not possible?

Now as far as apache goes, once I have the keys to be accepted, the 
server is not hard to configure. My question is on configuration of the 
mozilla end...mozilla wants a PKCS12 format, which I do not have (and 
which will be needed regardless of whether I'm the one who generates it, 
or if outside individuals generate their own). I assume I have to do a 
conversion to this format, probably based on my cert, and then send that 
out to everyone. My question now is whether this assumption is correct, 
and if so, how do I generate a public key from my server's cert (or from 
the server's private key) in PKCS12 format, such that I can give it a 
name like "Repository X Developer"? Then I could set up apache to allow 
access to repository named "X" if that key is present. I could send out 
a "Repository Y Developer" key as well and give them automatic access to 
the repository named "Y".

D. Stimits, stimits AT comcast DOT net

More information about the LUG mailing list