From owner-freebsd-isp  Sun Jun  2 23:57:11 2002
Delivered-To: freebsd-isp@freebsd.org
Received: from oubliette.darkspire.net (oubliette.darkspire.net [216.80.25.129])
	by hub.freebsd.org (Postfix) with ESMTP id 0F50337B400
	for <freebsd-isp@freebsd.org>; Sun,  2 Jun 2002 23:56:52 -0700 (PDT)
Received: from stardust.darkspire.net ([216.80.25.138] ident=daemon)
	by oubliette.darkspire.net with esmtp (angarius/aenigma)
	id 17Ellq-0001Lc-00
	for <freebsd-isp@freebsd.org>; Mon, 03 Jun 2002 01:56:50 -0500
Received: (from oneiros@localhost)
	by stardust.darkspire.net (sol/avis) id g536uoA07579
	for freebsd-isp@freebsd.org; Mon, 3 Jun 2002 01:56:50 -0500 (CDT)
Date: Mon, 3 Jun 2002 01:56:50 -0500
From: James <oneiros@darkspire.net>
To: freebsd-isp@freebsd.org
Subject: Re: SSL certificates
Message-ID: <20020603065649.GA7504@stardust.darkspire.net>
Mail-Followup-To: freebsd-isp@freebsd.org
References: <20020603000526.GA5542@stardust.darkspire.net> <Pine.LNX.4.41.0206030749300.1748-100000@opium.co.za>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.41.0206030749300.1748-100000@opium.co.za>
User-Agent: Mutt/1.4i
X-PGP-Key: On keyservers and <http://oneiros.darkspire.net/me/pubkey.asc>
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

Thus spake Mark Bojara (mark@mics.co.za):

> so do I have to have a physical link to a .pem file or can I use the
> certificate on a SSL site and it will ask them to install it?

    A physical link will do the trick.  For security purposes, clients
    should only accept a new CA certificate when it's explicitly requested,
    or is included in a pack with a client cert they're importing.
    
    Name it something like ca.crt, and make sure the content-type is set
    properly.  Then they can go to http://something/path/to/ca.crt and
    their browser should take care of it automatically.  Wheeee.

    To be safe, look for:
    AddType application/x-x509-ca-cert .crt
    in your apache config.

    If you'd like it to be something.pem, just pop in another AddType for
    it.

    HTH.

-- 
 James <oneiros@darkspire.net>       A cat stalking near
 uri: http://oneiros.darkspire.net/  the Emperor's palace. A
 1024D/62C2F77D                      crouching cat. A fox.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message