From owner-freebsd-questions@FreeBSD.ORG  Mon Sep 29 17:00:11 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DB3C11065696
	for <freebsd-questions@freebsd.org>;
	Mon, 29 Sep 2008 17:00:11 +0000 (UTC)
	(envelope-from cyberleo@cyberleo.net)
Received: from mtumishi.cyberleo.net (mtumishi.cyberleo.net [69.72.129.14])
	by mx1.freebsd.org (Postfix) with ESMTP id B7BB18FC1D
	for <freebsd-questions@freebsd.org>;
	Mon, 29 Sep 2008 17:00:11 +0000 (UTC)
	(envelope-from cyberleo@cyberleo.net)
Received: from [172.16.44.14] (adsl-75-4-150-29.dsl.emhril.sbcglobal.net
	[75.4.150.29])
	by mtumishi.cyberleo.net (Postfix) with ESMTPSA id F070611C7E;
	Mon, 29 Sep 2008 13:00:10 -0400 (EDT)
Message-ID: <48E10999.9070005@cyberleo.net>
Date: Mon, 29 Sep 2008 12:00:09 -0500
From: CyberLeo Kitsana <cyberleo@cyberleo.net>
User-Agent: Thunderbird 2.0.0.16 (X11/20080726)
MIME-Version: 1.0
To: Fraser Tweedale <frase@frase.id.au>
References: <20080928040152.GA7159@bacardi.frase.id.au>
In-Reply-To: <20080928040152.GA7159@bacardi.frase.id.au>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: [OT] Apache SSL certificate authentication
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Sep 2008 17:00:12 -0000

Fraser Tweedale wrote:
> - Create my CA key and a CSR, and have CACert sign it.

Are you sure it's signed as an intermediary CA? cacert.org's website
suggests they will only sign leaf certificates.
http://wiki.cacert.org/wiki/SubRoot

Fortunately, your client certs need not be signed by the same CA as your
server cert, and it's probably somewhat pointless to have a client cert
(which will be used for your infrastructure alone) vetted by a third party.

-- 
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo@CyberLeo.Net>

Furry Peace! - http://wwww.fur.com/peace/