Re: How do I ensure client side certificates are used in SSL handshaking?

Here is something that bears on the problem at hand, but I do not know how to act on it. Check out this link: http://search.cpan.org/~sullr/IO-Socket-SSL-1.997/lib/IO/Socket/SSL.pod. There I read the following:

"Check if we trust the certificate, e.g. make sure its not a forgery. "We believe that a certificate is not a fake, if we either know the certificate already or if we trust the issuer (the CA) and can verify the issuers signature on the certificate. In reality there is often a hierarchy of certificate agencies and we only directly trust the root of this hierarchy. In this case the peer not only sends his own certificate, but also all intermediate certificates. Verification will be done by building a trust path from the trusted root up to the peers certificate and checking in each step if the we can verify the issuers signature. "This step often causes problems, because the client does not know the necessary trusted root certificates. These are usually stored in a system dependent CA store, but often the browsers have their own CA store."

Emphasis added.

Both the server and client side certificates were signed by the same CA (one I created using openssl), and I have the CA's certificate on both machines. The CA's certificate is in the proper directory for apache to use it if it wishes, but how do I tell my client software about it. I have not (yet) found a way to tell LWP's user agent about the CA's (my) certificate,

Might this problem be a client side problem. If so, how do I tell the user agent on my client machine to use my CA's certificate for validating my server's certificate?

Also, do I have to worry about telling servers like nginx or apache to send the whole both the server's certificate and the whole change of intermediate certificates, or do they do that automagically? But that begs the question of how to do that in my client side code? Is that by placing the CA root's certificate on the server and configuring the server to use it when checking the client side certificates? Or do I have to add more code to tell the user agent to send them?

Thanks

Ted

Comment on Re: How do I ensure client side certificates are used in SSL handshaking?

Replies are listed 'Best First'.
Re^2: How do I ensure client side certificates are used in SSL handshaking? by ted.byers (Monk) on Jul 31, 2014 at 18:57 UTC
This lead me to a fundamental misunderstanding of the ssl options was using. The options I was using are for the CA, not the client side certificate. Thus, this changes to, "How do I provide the client side certificate?"</P Sorry for my confusion. Ted	[reply]