<![CDATA[Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W?]]>Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W?

I mean "get the page at all", not "have a fallback option" or "see a warning".

I mean for people with A installed they it's a normal website and for people without A it's completely inaccessible.

]]>https://board.circlewithadot.net/topic/d6429bed-8730-49ac-9e8d-5bcc2708b27f/lazyweb-a-question-if-1-run-a-certificate-authority-let-s-call-a-and-a-web-server-w-is-there-a-way-for-me-to-say-that-a-client-c-must-have-a-manually-installed-as-trusted-ca-in-order-to-get-a-web-page-from-wRSS for NodeFri, 15 May 2026 02:35:18 GMTThu, 14 May 2026 21:30:24 GMT60<![CDATA[Reply to Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W? on Thu, 14 May 2026 21:56:52 GMT]]>@mhoye it sounds like you’re looking for mutual authentication? https://en.wikipedia.org/wiki/Mutual_authentication

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/TindrasGrove/statuses/116575162348564483https://board.circlewithadot.net/post/https://infosec.exchange/users/TindrasGrove/statuses/116575162348564483Thu, 14 May 2026 21:56:52 GMT<![CDATA[Reply to Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W? on Thu, 14 May 2026 21:53:06 GMT]]>@mhoye yeah... nginx does not provide a variable with a server cert verification error, apache doesn't seem to have any similar tool as well.

Also thinking about this, if a client trusts the server cert directly without having the CA cert installed, it wouldn't send a TLS alert. The connection will just succeed.

If you're going to be installing a custom cert on the clients, you might as well make it a client cert. This has the benefit of using a tried and tested authentication method.

]]>https://board.circlewithadot.net/post/https://social.petko.me/users/petko/statuses/116575147524541471https://board.circlewithadot.net/post/https://social.petko.me/users/petko/statuses/116575147524541471Thu, 14 May 2026 21:53:06 GMT<![CDATA[Reply to Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W? on Thu, 14 May 2026 21:40:02 GMT]]>@mhoye closest thing I've ever seen is in Radius, where the Radius *server* gets a TLS Alert "bad certificate" whenever a client fails to connect to it due to a failure in the server cert validation.

Maybe TLS Alert is a good keyword to look into (http://www2.gnutls.org/manual/html_node/The-TLS-Alert-Protocol.html)

]]>https://board.circlewithadot.net/post/https://social.petko.me/users/petko/statuses/116575096190214988https://board.circlewithadot.net/post/https://social.petko.me/users/petko/statuses/116575096190214988Thu, 14 May 2026 21:40:02 GMT<![CDATA[Reply to Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W? on Thu, 14 May 2026 21:37:07 GMT]]>@mhoye You could get partway to what it seems like you want by having W require a _client_ certificate, signed by A, for any TLS connection, but then you have to provision client certs for each client - not just configure them to trust A.

]]>https://board.circlewithadot.net/post/https://mastodon.transneptune.net/users/owen/statuses/116575084717171768https://board.circlewithadot.net/post/https://mastodon.transneptune.net/users/owen/statuses/116575084717171768Thu, 14 May 2026 21:37:07 GMT<![CDATA[Reply to Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W? on Thu, 14 May 2026 21:36:52 GMT]]>@mhoye I suppose https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security will be a possible solution.

]]>https://board.circlewithadot.net/post/https://oslo.town/users/hallvors/statuses/116575083699786127https://board.circlewithadot.net/post/https://oslo.town/users/hallvors/statuses/116575083699786127Thu, 14 May 2026 21:36:52 GMT<![CDATA[Reply to Lazyweb, a question: if (1) run a certificate authority let's call A, and a web server W, is there a way for me to say that a client C must have A manually installed as trusted CA in order to get a web page from W? on Thu, 14 May 2026 21:34:45 GMT]]>@mhoye _Specifically_ that the client must be manually configured to trust the issuer? Not in any commonly-deployed configuration I'm aware of, no. TLS implementations tend to make very little distinction between system, managed, and user-provided trust roots.

]]>https://board.circlewithadot.net/post/https://mastodon.transneptune.net/users/owen/statuses/116575075410971364https://board.circlewithadot.net/post/https://mastodon.transneptune.net/users/owen/statuses/116575075410971364Thu, 14 May 2026 21:34:45 GMT