httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 46458] Allow dynamic generation of certificates.
Date Fri, 02 Jan 2009 17:50:31 GMT

sebastian <> changed:

           What    |Removed                     |Added
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |

--- Comment #2 from sebastian <>  2009-01-02 09:50:29 PST ---
But I mean if I only know the hostname at the time of the request, before

Or if I generate domains on-the-fly tied to a specific IP-adress, and want to
lookup the correct domain given a specific IP-adress, and then load the correct

Lets say I have 50 IPs. Then lets say I have 50 different subdomains connected
to each IP.
Instead of creating 50 VirtualHosts with its own certificate, I could simply
have one virtualhost with SSLCertificateFile exec:/usr/bin/cat

And Apache would for the request with the target ip "" execute
"/usr/bin/cat /etc/httpd/certificates/" (which would be a
certificate with its DN set to the correct domain)
and use the certificate it gets on STDOUT for the current SSL request.

Thats one example.

The following enviroment vars are available before handshake:
all SERVER_ variables
all REMOTE_ variables except REMOTE_USER
all TIME_ variables
and the HTTPS variable (which in this case always is "on")

Another example is in a corporate proxy situation, where you want to do SSL
scanning of all SSL requests made from inside firewall.
You can set up a DNS which delivers the IP to
sequentally, for each domain requested, and then store which domain that was
requested when the IP x.x.x.x was returned, in a database...

So when a client with the IP request: from the DNS, it would return " IN A" , and
then store in database:
"UPDATE domaintable SET domain='' WHERE ip='' AND

next the same client request, it would get " IN A" from the DNS, and then it store:
"UPDATE domaintable SET domain='' WHERE ip='' AND

Then you can have a CA certificate with its corresponding private key, and then
have a normal certificate with a specific publickey and private key.

Then you can have:
SSLCertificateFile /usr/bin/certgenerate %{SERVER_ADDR} %{REMOTE_ADDR}

And the script could look something like this (pseudocode)
Get Argument1 and Argument2 from commandline
Variable1 = "SELECT domain FROM domaintable WHERE ip='Argument1' AND
Load /etc/certificates/cert.pem
Replace current DN with Variable1
Resign certificate with the CA private key
print certificate on STDOUT

So this is the 2 examples I could come up with.

And I think this would be pretty easy to implement. The only thing that needs
to be changed, is to load the certificate for each request instead of server
start, and then allow the use of SSLCertificateFile exec:/path/to/program which
executes the program with specified arguments, and then reads from the STDOUT,
and a function to resolve variable names like %{REMOTE_ADDR}, %{SERVER_ADDR}
and such.

I think it would be a good interface to those that want to do some more
advanced certificate management than loading from a simple file.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message