httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From postmas...@sebn.us.to
Subject [users@httpd] Problems with dynamically generating certificate...
Date Tue, 30 Dec 2008 22:08:58 GMT
I would wish to dynamically generate a certificate for each request.

I tried with:



SSLCertificateFile prg:/usr/bin/certgenerate

I also tried:

SSLCertificateFile |/usr/bin/certgenerate

and

SSLCertificateFile exec:/usr/bin/certgenerate



But nothing works, it just generates error messages and does not allow the server to start.



How can I specify a certificate dynamically for each request?

(certgenerate fetches the certificate from the original IP, extracts the DN and then creates
a new certificate out of this. Then it signs the certificate with my private key, and then
prints the completed certificate on STDOUT)



Im currently using Apache as a transparent forward proxy, and to enable virus scanning of
SSL traffic, I have configured it to pass SSL traffic unencrypted to a parent proxy which
scans traffic for viruses, and this parent then forwards traffic to a another port of apache
(a separate virtualhost), that converts the traffic back to SSL and sends it out the internet.



The problem is that this generate a security warning in the browser, even when the CA root
is imported. This because the DN host name does not match the real host name, and using a
DN of "*" or something like that dosen't help.

I need to dynamically create and sign certificates for each request, so the DN always stays
valid.



If this isn't possible, make this a feature request.

Some users would like the possible to dynamically generate a certificate. Especially users
who wants to set up a SSL proxy, OR users that is managing a large number of IPs for example
a large webhosting and want to dynamically fetch a certificate from a folder, based on the
SERVER_ADDR header, instead of configuring about lets say 200 virtualhosts (one for each IP
and certificate).


F-F-F-F-F-F-F-F-F-F-F-F-F-F-
Scanned with Copfilter Version 0.84beta3a (ProxSMTP 1.7)
AntiVirus: ClamAV 0.91.2/8814 - Tue Dec 30 09:43:21 2008
AntiVirus: AVG 7.5.51, engine 442 269.21.0/1296  2008-02-24
by Markus Madlener @ http://www.copfilter.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message