x509 with friendly name support
|Reported by:||Owned by:|
|Severity:||normal||Keywords:||x509 httpd.conf pki|
|Cc:||dirkx@…, Ryan J Ollos||Branch:|
Below is a small patch for those using x509 support - e.g. an apache config as below to allow access based on x509 certs. The reason for doing this is that otherwise the strings shown become very long and wieldy.
One item of note - in a lot of sites the x509 contains the email address; in a lot of other non x509 (e.g. htpasswd sites) the userid can be combined ith some FQDN to become the user their valid email address. Hence it may be useful to at some point add an extra field, email to the current interface.
Note that this is NOT the same as using
(See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername) in your httpd.conf - as with this feature we try to preserve all captured information (i.e. full DN in svn, so we can do XS controls and do this over many years - where the CN may well be not unique).
See test/example config below.