understanding OpenSSL with Apache
 

Hello all,

I want to clear up my understanding with you and hope this is not a dumb question. I want to secure apache with SSL certificate and I can do that with certificates. Now there are two ways one is self signed and another by creating my own CA.
In latter approach there will be in total of 5 files:-

server.crt: The self-signed server certificate.
server.csr: Server certificate signing request.
server.key: The private server key, does not require a password when starting Apache.

If created a CA, then will have two additional files:

ca.crt: The Certificate Authority's own certificate.
ca.key: The key which the CA uses to sign server signing requests


Now what I am targeting here is to do a bidirectional authentication in apache. So which files should I make available to client so that it can validate the servers certificates and vice versa.

As per SSL flow:
when browser requests a secure page the web server sends him its public key with its certificate. In this case which one its sending to client browser?

Thank you.

Hi, thanks for that link.
I finally got the clear picture ones I installed and run the whole setup with self signed CA certificate.

I have one question though. I want to do mutual authentication so that both server and client will show each others their certificates. Now I setup SSLVerifyClient require in server setup and can see with wireshark that its asking for certificate from client too but as I didn't setup client certificate part yet so its not working, thats ok.

Now my question is when client will show server his certificate is there any way to trigger a php script from server to fetch the values from that certificate? Because I want to check that with programming.

SSLOptions +ExportCertData

that's the directive for apache. Unfortunately I don't know how to retrieve the data with JS or PHP. Never neede that yet ;-)