John Doe wrote: > The goal is to be able to distribute client certificates to filter web > access to certain resources. How about using just basic user names and passwords? Seems a lot simpler. Client certs can really make things messy and complicated, I worked with them a bunch several years ago, ENDLESS headaches, and we weren't using CRL formally at least, the application had a sort of CRL built into it, where we specifically registered certain CN's with the app, and apache just acted as a pass through mechanism to the app(which was java/tomcat). http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html nate