Fedora directory users - Nov 2005 - Re: Re: ssl client authentication

Does anyone possibly have an answer to these questions?  I''m quite
stumped at the moment, and would love to try and get this fully working.

Thanks again.
> Date: Thu, 17 Nov 2005 10:09:45 -0600
> From: Michael Montgomery <mmontgomery@theplanet.com>
> Subject: Re: Re: [Fedora-directory-users] ssl client authentication
> To: fedora-directory-users@redhat.com
> Message-ID: <1132243785.24437.11.camel@work>
> Content-Type: text/plain
> 
> Thank you very much for your response.  I just have a couple more
> questions so I can be sure I know what I''m talking about.
> 
> > the directory server (your SSL server) replies with the certificate
chain which includes
> > the CA certificate, and the self-signed SSL certificate."
> 
> I''m assuming the ''self-signed SSL cerificate'' is
the client''s ssl
> certificate I imported into the SSL server''s store, and NOT the
server''s
> own client certificate?
> 
> > you should have the SSL certificate imported into your SSL
client''s security database,
> > and it should be marked as trusted (i.e -t "CT,CT,CT"). 
> 
> Is there any documentation on how to do this with a RHEL4 server?  The
> only things that come to mind are the openssl dirs
''/usr/share/ssl/*'',
> and possibly installing the certutil package on this machine...(but how
> would the ldap.conf file reference this, and even know about it...
I''m
> curious about integration)
> 
> >Another way to do this is to sign your SSL server certificate with your
self-signed CA
> > certificate, and import your CA certificate into your SSL
client''s security database.
> 
> I''m assuming you''re talking about this option to
Sign/Validate a
> self-signed cert:
> 
> -V              Validate a certificate
>    -n cert-name      The nickname of the cert to Validate
>    -b time           validity time
("YYMMDDHHMMSS[+HHMM|-HHMM|Z]")
>    -e                Check certificate signature
>    -u certusage      Specify certificate usage:
>                           C      SSL Client
>                           V      SSL Server
>                           S      Email signer
>                           R      Email Recipient
>    -d certdir        Cert database directory (default is ~/.netscape)
>    -P dbprefix       Cert & Key database prefix
>    -X                force the database to open R/W
> 
> But then there''s still the above question of how to import it into
> clients...
> 
> Once again, thank you very much for your answers up to this point, as
> they were quite helpful.
> 
> Michael.