httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Re: [users@httpd] Problems with dynamically generating certificate...
Date Wed, 31 Dec 2008 08:54:50 GMT
>>Since the request follows the handshake, would you even know the

>>hostname being requested at the right time? (SNI aside)

One idea is to have a custom made DNS server which always issues a random IP in lets say the
10.1.x.x series for each hostname->IP request. The certgenerate software could get the
target IP by having apache giving it %{SERVER_ADDR} as argument. (lets say its,
and then the certgenerate software could query the DNS server which hostname was requested
when it returned

(The client would have a IP of 10.2.x.x series and a netmask of

So lets say a user wants to vitit

The user would do a DNS request to my DNS server. My DNS server gives a random IP as answer
(lets say, with a very low TTL. Then the DNS would store in its datafile that was a response for

Then the user does a HTTPS request to my proxy server, that listen on 10.1.*.*. The server
would then start the certgenerate program, which gets the IP certgenerate open
the DNS server datafile, and checks which hostname was returned for, and it would

Then certgenerate creates a certificate which is valid for and then signs
it with my CA key, and prints it on STDOUT, and then the user would get no certificate warnings
since my CA key is imported in the browser.

So as you said there was no support in apache for dynamic certificate generation, why not
add support for it. Make it a feature request. Of course, all enviroment vars that is available
before SSL handshake could be available in %{<variable>} notations, so it can be used
as arguments to the dynamic certificate generation program.

I would suggest implementing the dynamic certificate support with exec: in the SSLCertificateFile.

Best regards, Sebastian Nielsen

Scanned with Copfilter Version 0.84beta3a (ProxSMTP 1.7)
AntiVirus: ClamAV 0.91.2/8816 - Wed Dec 31 08:18:10 2008
AntiVirus: AVG 7.5.51, engine 442 269.21.0/1296  2008-02-24
by Markus Madlener @

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message