Generating client certificates by becoming your own CA with an Apache web server is trivial work and there's plenty of documentation out there on how to achieve this. My problem is slightly different.
I have several clients out there that want to have their own PKI infrastructure. They want to be able to generate their own client certificates and revoke them as well. Our webserver(s) are still responsible for authorizing them when they access our web service.
Would anyone be able to chime in on what are some possible solutions I can look into? I see Apache 2.3 has some SSLOCSP* related directives (http://httpd.apache.org/docs/2.3/mod/mod_ssl.html) but I'm not entirely thrilled about using Apache 2.3 and even more so, it looks like there are browser limitations to SSLOCSP* and we're dealing with clients that don't find that acceptable.
Best Answer
There isn't a truly automated method at present.
I'm not really that keen on the
SSL*Path
directives personally because they can be troublesome to maintain. So what we do is to useSSLCACertificateFile
,SSLCADNRequestFile
andSSLCARevocationFile
. Then some Python scripting to handle CRL updates as follows:In which case you just need to obtain a CA cert and CRL distribution point from the clients which are managing their own CAs.