Re: replacing SnakeOil default Apache server certificate

This is a discussion on Re: replacing SnakeOil default Apache server certificate within the Apache Web Server forums, part of the Web Server and Related Forums category; "RoyCTC" <roychew@hotmail.com> wrote in message news:2cdd170a.0307171208.245261d2@posting.google.c om... > ...


Go Back   Usenet Forums > Web Server and Related Forums > Apache Web Server

Reload this Page Re: replacing SnakeOil default Apache server certificate

FAQ Members List Calendar Search Today's Posts Mark Forums Read

 

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 07-17-2003
Richard Antony Burton
 
Posts: n/a
Default Re: replacing SnakeOil default Apache server certificate

"RoyCTC" <roychew@hotmail.com> wrote in message
news:2cdd170a.0307171208.245261d2@posting.google.c om...
> Hello,
>
> How does one replace the default Apache server's certificate issued
> as SnakeOil with one's own server certificate when an improvised URL
> https://www.abc.org:443 is entered and a server certificate served?
> Can one work with server and client certificates simultaneously? Is it
> one or the other?

To create a self signed certificate:
openssl.exe req -config openssl.cnf -new -nodes -out server.csr -keyout
server.key
openssl.exe x509 -in server.csr -out server.crt -req -signkey
server.key -days 365 -set_serial 1
(Increment the serial number each time you create a certificate.)

Make sure you enter your host name (e.g. www.abc.org) for the Common Name,
when prompted.

This assumes you have openssl.exe and openssl.cnf, if not you can grab them
from:
http://rab.members.easyspace.com/apache-ssl/

Richard.
  #2 (permalink)  
Old 07-19-2003
RoyCTC
 
Posts: n/a
Default Apache server and client certificates authentication on Windows
> To create a self signed certificate:
> openssl.exe req -config openssl.cnf -new -nodes -out server.csr -keyout
> server.key
> openssl.exe x509 -in server.csr -out server.crt -req -signkey
> server.key -days 365 -set_serial 1
> (Increment the serial number each time you create a certificate.)
>
> Make sure you enter your host name (e.g. www.abc.org) for the Common Name,
> when prompted.
>
> This assumes you have openssl.exe and openssl.cnf, if not you can grab them
> from:
> http://rab.members.easyspace.com/apache-ssl/
>
> Richard.

Thank you Richard for the quick response and help.
In completeness, I compile the following guide of successfully
achieving my aims.

The Ways to Prepare a Web Site for Server and Client Authentications
==================================================
Purpose: To establish server and client authentications for a web site
using self-signed certificates and
done locally on a localhost for testing on Windows.

Software and Platform
Apache 2.0.46 for Win32
Microsoft 2000 Professional
IE 5.5
Openssl 0.9.7b

The followings are important statements and steps taken to configure
Apache's configuration file httpd.conf

# Mod_ssl module loaded with the statement
LoadModule ssl_module modules/mod_ssl.so

ServerName localhost

<IfModule mod_ssl.c>
Include conf/ssl.conf
</IfModule>

The above directive will read the SSL configuration file, ssl.conf
which consists of the following few
important statements:

<IfDefine SSL>
Listen 8443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

<VirtualHost _default_:8443>

# General setup for the virtual host
DocumentRoot "C:/Apache2/htdocs"
ServerName localhost
ServerAdmin roychew@hotmail.com
ErrorLog logs/error.log
TransferLog logs/access_log
LogLevel warn
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL

SSLCertificateFile C:/Apache2/conf/demoCA/my-server.der.crt
SSLCertificateKeyFile C:/Apache2/conf/demoCA/my-server.key

SSLCACertificateFile C:/Apache2/conf/demoCA/my-server.cert
SSLCACertificatePath C:/Apache2/conf/demoCA

SSLVerifyClient require
SSLVerifyDepth 1

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

<Directory "C:/Apache2/htdocs">
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 1
</Directory>
</VirtualHost>
</IfDefine>


Preparations of Certificates
---------------------------------
I've placed all the requests, certificates and keys in a common folder
called demoCA.

I run openssl from the conf subdirectory because I have placed my
openssl.cnf file there.

Run the following commands using the openssl tool to create server's
request, key and certificate

> openssl req -config openssl.cnf -new -nodes -out demoCA/my-server.csr -keyout demoCA/my-server.key
> openssl x509 -in demoCA/my-server.csr -out demoCA/my-server.cert -req -signkey demoCA/my-
server.key -days 365 -set_serial 1
> openssl x509 -in demoCA/my-server.cert -out demoCA/my-server.der.crt -outform DER

While prompted for CN during certificate preparation of the above, I
chose "localhost" as the common name.
Hence, while preparing the client certificate, "localhost" should be
entered for the CN to match it.
Issued by: "localhost" would then appear in the browser's window after
the certificates are installed into
it.
It's important to match them if not Apache would consider it as an
error when a secured connection is
attempted and will be logged for affirmation.

Run the following commands using the openssl tool to create client's
request, key and certificate

> openssl req -config openssl.cnf -new -out demoCA/clienta.csr -keyout demoCA/clientakey.pem
> openssl x509 -req -in demoCA/clienta.csr -out demoCA/clienta.pem -CA demoCA/my-server.cert
-CAkey demoCA/my-server.key -CAcreateserial -days 365 -outform
PEM
> openssl pkcs12 -export -in demoCA/clienta.pem -out demoCA/clienta.p12 -inkey
demoCA/clientakey.pem -name "Test User"


Start apache with
$> apache -D SSL -e warn -k start

Beware that by starting Apache Monitor service on windows would not
set SSL directive option as above

If the server certificate is not installed before connecting to the
web site, the server will prompt user's
browser to accept server's certificate.

IE 5.5 browser changes made in order to get the window prompt for
client certificate, with client certificate
installed beforehand, while connecting to web site. Setting for local
intranet because I used localhost.

Then try to access https://localhost:8443

That's about it for certificates. Yet to do the LDAP part.
Roy
  #3 (permalink)  
Old 07-19-2003
Richard Antony Burton
 
Posts: n/a
Default Re: Apache server and client certificates authentication on Windows

"RoyCTC" <roychew@hotmail.com> wrote in message
news:2cdd170a.0307181713.5b3384f6@posting.google.c om...

> Start apache with
> $> apache -D SSL -e warn -k start
>
> Beware that by starting Apache Monitor service on windows would not
> set SSL directive option as above

And the easiest way around that, is just to remove/comment out the <IfDefine
SSL> and matching </IfDefine> from the ssl.conf file. If you plan to run
with SSL and you don't need the quick and easy way to enable/disable it from
the command line, then these really aren't required.

Richard.
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 05:23 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0