20 Apr
2025
20 Apr
'25
2:20 p.m.
On Apr 20, 2025, at 2:17 PM, Yoann Gini <yoann.gini@gmail.com> wrote:
But if I put all of the CA into ca_dir, the Let’s Encrypt issued certificates could also be used to pass client auth?
Technically, yes. Practically no. The LetsEncrypt certificates generally aren't CAs. So they can't issue client certs. Even if they were CAs, you can run the server in debug mode, and see what it prints out about the TLS certificates. You can then add policies to check the TLS-* attributes, to verify that the client certificates are created by a CA you trust. Alan DeKok.