httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Krist van Besien" <krist.vanbes...@gmail.com>
Subject Re: [users@httpd] url proxying
Date Mon, 14 Apr 2008 10:47:38 GMT
On Sun, Apr 13, 2008 at 11:32 PM, Melanie Pfefer
<melanie_pfefer@yahoo.co.uk> wrote:
> hi Kirst, all,
>
>  To use c_rehash, I must have .pem and .crt files. Correct me if I am worong please.
The remote server has a self-signed certificate that was generated using keytool (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html)
so the file generated is .keytool. Should I generate .pem and .crt files to run c_rehash?
If so, how?

You can export your certificate using keytool, like this:

keytool -export -alias tomcat -rfc >   tomcat.pem

The "-rfc" option is important, as this exports a PEM certicate.
If your keystore is in a different location you need to add the
-keystore <keystorefile> option. If your tomcat server uses a
certificate with a different alias modify the -alias parameter.

For proxying via apache to work it is important that the certicate
passes all the tests. Normally when you connectyour browser to a https
server with a self signed certificate, or when something else is wrong
 a dialog will pop up telling you what is wrong and giving you the
option to go ahead and connect anyway. You must understand that since
apache will connect to the https server in an non-interactive way
there is no-one to confirm apache it is ook to proceed. Therefore the
certificate must pass all the test.
1) The common name of the certificate must be identical to the name
used in the URL.
2) The certificate must still be valid.
3) The signature must verify as OK.

1 &2 you take care of when you generate the certificate. 3) you take
care of on the apache side, by putting the self signed cert in the
cacerts dir.

>  On another front, I understand from you that I can having apache as a proxy server that
talks SSL witht the backend and non-ssl with the end user (in URL, the user puts http not
https even if the backend server is accessed via https). Correct me if I am wrong please.

You can indeed do this. I have one server who does exactly this.

Krist


-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message