How to generate a client certificate using a third party CA-NOT Self Signed CA
- by Bryan
I am trying to trying to export a client certificate for use with a web browser.
The goal is to restrict access using the <Location directive to the admin area. I have seen numerous tutorials on using self signed CAs. How would you do this using a third party?
1) Do I need to include the CA in the client pfx if it is a trusted root CA? I have seen both examples.
Without CA:
openssl pkcs12 -export -inkey KEYFILENAME -in CERTFILEFILENAME -out XXX.pfx
With CA:
openssl pkcs12 -export -in my.crt- inkey my.key -certfile my.bundle -out my.pfx
2) Do I need to still include SSLCACertificateFile for trusted CA in the httpd.conf setup?
SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt
<Location /secure/area>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC8