[Semanticscuttle-devel] Work on #3163623 started: SSL Client Certificates
Brought to you by:
cweiske
Menu
▾
▴
[Semanticscuttle-devel] Work on #3163623 started: SSL Client Certificates
|
From: Christian W. <cw...@cw...> - 2011-05-04 17:48:39
|
Hi,
I started working on SSL client certificate support today, and you get
already automatically logged in when your client cert ist registered
in the sc_users_sslclientcerts table. Currently you need to manually do
that because the interface to assign them is yet to be written :)
I'm using the following SSL virtual host settings in the apache
configuration:
SSLEngine On
SSLCertificateFile /etc/ssl/private/bm.bogo.cweiske.de-cacert.pem
SSLCertificateKeyFile /etc/ssl/private/bm.bogo.cweiske.de.key
SSLCACertificateFile /etc/ssl/private/cacert-1and3.crt
#enable client certificate login
SSLOptions +StdEnvVars
SSLVerifyClient optional
SSLVerifyDepth 1
I used the CAcert CSR generator[1] to generate the key and the csr
file, used the .csr to apply for the certificate @cacert and saved the
certificate I got from them as the .pem. Then I put both their
public class1 (root) and class3 certificates into the cacert-1and3.crt
file and restarted apache.
The option "SSLVerifyClient optional" tells apache to ask for a client
certificate but not to require it, so that users can login normally if
they wish.
If a registered client certificate is provided by the browser, the user
get automatically logged in. Branch is ssl-client-certs; I hope to get
it into 0.98.0.
[1] http://wiki.cacert.org/CSRGenerator
--
Regards/Mit freundlichen Grüßen
Christian Weiske
-=≡ Geeking around in the name of science since 1982 ≡=-
|
