Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Tony wrote: >Charles Oram wrote: >>So if I install the user's self-signed certificate on the server, isn't >>that just giving the server the user's public key so that the server can >>authenticate the user? OK, I don't have the full chain of trust that you >>have with signed certificates, but you need more than a username and >>password to login to CVS then. > >That's not how SSL works - you create a local CA, then issue certificates >from that CA to your clients. The server then knows it can trust the >certificate as it was issued from its own (trusted) CA. You'd have to >issue the ca.pem for your local CA of course... > >This not only allows you to control which clients can connect, but you can >control things like the expiration date and revoke old clients easily. > >I know of no implementations that work as you suggest - the whole point of >signing is you don't need huge databases of valid clients.. you'd end up >with login time sucking as it'd have to compare every public key it knew >about with the supplied one (that's even if it's possible to implement such >a scheme in SSL.. you might not be able to get the presented keys & convert >them into a useful format anyway). OK, but is the server certificate that was generated with genkey is self-signed? Can I just make my own client certifcates that are signed with the server private key? And if so, how do you do it - can I just use the openssl tools? Thanks for your help. Charles _________________________________________________________________ Read the latest Hollywood gossip @ http://xtramsn.co.nz/entertainment