From: Thor <jag...@go...> - 2008-09-22 13:56:09
|
Dave wrote: > > all those certs/keys can be embedded in the config file itself, though I > somehow think that's not entirely what you are wanting. > Sorry, I'm not quite following you when you say 'embedded in the config file'. My users config file contains: ca ca.crt cert <clientusername>.crt key <clientusername>key tls-auth ta.key 1 Where the <clientusername> would also be the common name of the clients certificate. > If the server were to give out it's the ca/ta certificate on connection, > this rather defeats the purpose of having the server certificate, because > then the server is saying 'trust me, I'm the server you want' as opposed to > 'here's who I say I am, do you trust me?'. Similarly, if it were to give > out the client cert and key upon connection, the server is saying 'I trust > you, whoever you are, come on in' as opposed to 'tell me who you are and > then I will check if I trust you'. I see what you mean here, yes. But ideally, I would like to create client certificates on the fly (if thats even possible/secure). For instance, a user would register via a form and a PHP script would insert them to a database. From this point on is where I would like to find how I could automatically create a client certificate based on the inputted details (i.e generate a client cert with a common name = inputted username on registration). How - if the previous is even possible or secure - would the client recieve the required ca and ta key and the newly created client cert on their machine? Since I assume all the clients config (when using certificates/key and username/password authentication would require: ca ca.crt cert <clientusername>.crt key <clientusername>key tls-auth ta.key 1 auth-user-pass |