On 16.05.23 14:27, Sean Gallagher wrote:
I have a created a CA for the sole purpose of signing the certificate of the LMTPS client. I regard this as a horrible horrible kludge.
... how do you figure that? *Someone*, and that means you, has to specify which clients are allowed to connect. Which leaves three possibilities:
a) You run the CA and thus, the CA can do the selection for you. Which means that in order to deal with a single-permissible-client situation, you need the CA to issue client certs to just that one entity. b) The CA does *not* and issues (client) certs to entities you do *not* want to grant access. Then the selection job remains yours and, assuming that requiring a client cert from that CA makes any sense in the first place, auth_ssl_username_from_cert is there to help you (by making sure that the username will be "the ID" from the cert so that you can base some additional filtering on that). c) The CA is willing to enrich the certs it issues with DN parts, X509v3 extensions or the like signalling access rights as granted beforehand by a *fourth* party, as in, you. Which is a terrible can of worms as soon as things, especially the number of such fourth parties to support by the same CA, start to scale up IMHO. Which promptly brings us back to you running the CA yourself ...
Kind regards,
Jochen Bern Systemingenieur
Binect GmbH