Date: Sat, 16 Dec 2023 21:48:48 -0800 From: Doug Hardie <bc979@lafn.org> To: FreeBSD Questions List <questions@freebsd.org> Subject: Client Certificate Verification Message-ID: <174A9481-186F-44EC-A129-96ACD985DD76@sermon-archive.info>
next in thread | raw e-mail | index | archive | help
--Apple-Mail=_5596B919-8FAC-4DAE-AF9F-2DC03E09B3E6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii I have an application to which clients connect using a browser over SSL. = I have a LetsEncrypt certificate for the app that lets the client = authenticate the app. However, I need to have a multitude of client = certificates (one per client machine). I am generating these = certificates from a self-signed root certificate. I can get the client = to verify the app and provide the client certificate to it. The app is = unable to verify the client certificate. I have not been able to figure = out how to have openssl distribute one certificate (from LetsEncrytp), = but verify the received client certificate using different certificate = chain. Openssl will pass me some of the received certificate fields. = However, without certificate verification I cannot be sure that those = values came from a certificate I generated. Is there a way to do this = either with openssl or libtls? -- Doug --Apple-Mail=_5596B919-8FAC-4DAE-AF9F-2DC03E09B3E6 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii <html><head><meta http-equiv=3D"content-type" content=3D"text/html; = charset=3Dus-ascii"></head><body style=3D"overflow-wrap: break-word; = -webkit-nbsp-mode: space; line-break: after-white-space;">I have an = application to which clients connect using a browser over SSL. I = have a LetsEncrypt certificate for the app that lets the client = authenticate the app. However, I need to have a multitude of = client certificates (one per client machine). I am generating = these certificates from a self-signed root certificate. I can get = the client to verify the app and provide the client certificate to it. = The app is unable to verify the client certificate. I have = not been able to figure out how to have openssl distribute one = certificate (from LetsEncrytp), but verify the received client = certificate using different certificate chain. Openssl will pass = me some of the received certificate fields. However, without = certificate verification I cannot be sure that those values came from a = certificate I generated. Is there a way to do this either with = openssl or libtls?<div><br><div> <div>-- Doug</div> </div> <br></div></body></html>= --Apple-Mail=_5596B919-8FAC-4DAE-AF9F-2DC03E09B3E6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?174A9481-186F-44EC-A129-96ACD985DD76>