From owner-freebsd-questions@FreeBSD.ORG Tue Sep 30 06:55:07 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 409E5106568C for ; Tue, 30 Sep 2008 06:55:07 +0000 (UTC) (envelope-from Fraser@bacardi.frase.id.au) Received: from bacardi.frase.id.au (203-219-142-174.static.tpgi.com.au [203.219.142.174]) by mx1.freebsd.org (Postfix) with ESMTP id AAD2A8FC17 for ; Tue, 30 Sep 2008 06:55:06 +0000 (UTC) (envelope-from Fraser@bacardi.frase.id.au) Received: from bacardi.frase.id.au (localhost [127.0.0.1]) by bacardi.frase.id.au (8.14.2/8.14.2) with ESMTP id m8U6t4WW000105 for ; Tue, 30 Sep 2008 16:55:04 +1000 (EST) (envelope-from Fraser@bacardi.frase.id.au) Received: (from Fraser@localhost) by bacardi.frase.id.au (8.14.2/8.14.2/Submit) id m8U6t4cm000104 for freebsd-questions@freebsd.org; Tue, 30 Sep 2008 16:55:04 +1000 (EST) (envelope-from Fraser) Date: Tue, 30 Sep 2008 16:55:04 +1000 From: Fraser Tweedale To: freebsd-questions@freebsd.org Message-ID: <20080930065503.GA89763@bacardi.frase.id.au> References: <20080928040152.GA7159@bacardi.frase.id.au> <48E10999.9070005@cyberleo.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SLDf9lqlvOQaIe6s" Content-Disposition: inline In-Reply-To: <48E10999.9070005@cyberleo.net> User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Re: [OT] Apache SSL certificate authentication X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 06:55:07 -0000 --SLDf9lqlvOQaIe6s Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 29, 2008 at 12:00:09PM -0500, CyberLeo Kitsana wrote: > Fraser Tweedale wrote: > > - Create my CA key and a CSR, and have CACert sign it. >=20 > Are you sure it's signed as an intermediary CA? cacert.org's website > suggests they will only sign leaf certificates. > http://wiki.cacert.org/wiki/SubRoot >=20 > Fortunately, your client certs need not be signed by the same CA as your > server cert, and it's probably somewhat pointless to have a client cert > (which will be used for your infrastructure alone) vetted by a third part= y. >=20 > --=20 > Fuzzy love, > -CyberLeo > Technical Administrator > CyberLeo.Net Webhosting > http://www.CyberLeo.Net > >=20 > Furry Peace! - http://wwww.fur.com/peace/ > Thanks for the clarification. I hadn't picked up on the fact that you need a special intermediary cert for the server cert to validate up the chain. Well, nevermind. It's just for personal use anyway... if only X.509 could be simple like OpenPGP :) frase --SLDf9lqlvOQaIe6s Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkjhzUcACgkQPw/2FZbemTW+cwCfWJkAGb0Msurn7KdQdV9HkvHn P20AnAs6lRGWUXfX1KN84jmQlCVKAm9+ =AogY -----END PGP SIGNATURE----- --SLDf9lqlvOQaIe6s--