Validating SSL clients using a list of authorised certificates instead of a Certificate Authority
Posted
by Gavin Brown
on Server Fault
See other posts from Server Fault
or by Gavin Brown
Published on 2010-04-23T17:41:52Z
Indexed on
2010/04/23
17:43 UTC
Read the original article
Hit count: 775
Is it possible to configure Apache (or any other SSL-aware server) to only accept connections from clients presenting a certificate from a pre-defined list? These certificates may be signed by any CA (and may be self-signed).
A while back I tried to get client certificate validation working in the EPP system of the domain registry I work for. The EPP protocol spec mandates use of "mutual strong client-server authentication". In practice, this means that both the client and the server must validate the certificate of the other peer in the session.
We created a private certificate authority and asked registrars to submit CSRs, which we then signed. This seemed to us to be the simplest solution, but many of our registrars objected: they were used to obtaining a client certificate from a CA, and submitting that certificate to the registry. So we had to scrap the system. I have been trying to find a way of implementing this system in our server, which is based on the mod_epp module for Apache.
© Server Fault or respective owner