httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rich.gre...@hushmail.com
Subject Re: [users@httpd] How to enable 443 on apache2 using provided key files
Date Sun, 05 Feb 2017 17:41:08 GMT
It turns out the approach I described did in fact work.  The password was requested from the
administrator and the site behaved well.

The only deviation I had to make was that the SSLCACertificateFile parameter interpreted a
space in the filename as delimiting a second invalid parameter.  The file was renamed to eliminate
all whitespace and the SSLCACertificateFile parameter was adjusted to the new filename.  Server
appears to be running fine.

Thanks

On 2/2/2017 at 6:31 PM, rich.greder@hushmail.com wrote:
>
>On 2/2/2017 at 1:27 PM, "Erik Dobák" <erik.dobak@gmail.com> wrote:
>>
>>well i am still unsure abut the full encryption. i don't like 
>>that. if
>>there is a problem the overheads grow to analyze the situation. 
>>what about
>>just signing the messages? i mean if you have messages for all 
>why 
>>do you
>>want to hide them?
>>
>
>Because the site has a user authentication portal.  The owner of 
>the server does not want user passwords being sent in plaintext.  
>Some portions of the site is not open to the public.  There is 
>computational overhead, but they have invested in hardware 
>sufficient for managing that.  The problem I am faced is a 
>software/compatibility/standards issue.
>
>I wholeheartedly believe in the open internet model though and my 
>own personal sites are available on our favorite port 80, as well 
>as port 443 (via letsencrypt.org) for the paranoid who think the 
>gov't can't see it.
>
>>E
>>
>>On 2 February 2017 at 17:54, <rich.greder@hushmail.com> wrote:
>>
>>> Hello,
>>>
>>> There is a freshly installed (from Ubuntu 16.04 package) apache 
>>server
>>> running in a large institution that needs to have port 443 
>>traffic
>>> enabled.  I am helping a friend of mine configure this server 
>>and, at the
>>> same time, writing a document for reproducing the installation 
>>procedure
>>> that will be published online.  The server has it's own 
>>subdomain and the
>>> system administrator generated encryption keys to be used for 
>>this server.
>>> The administrator is talented, but seems to be inexperienced in 
>>open-source
>>> solutions, so outside help is needed.  As a courtesy to my 
>>friend, whom I'm
>>> helping set this up, I've anonymized the TLD from the filename, 
>>but the
>>> files are as follows:
>>>
>>> _.example.com.p12
>>> Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root-
>>primary.txt
>>> SSL Certificate - .example.com.txt
>>>
>>> I personally do not have easy access to these files, but I can 
>>request
>>> actions to be performed on them.  I had not previously been 
>>acquainted with
>>> P12 files until now.  I found a website that seems to be able 
>to 
>>help me
>>> export data from the P12 file into a data format that apache 
>can 
>>readily
>>> use:
>>>
>>> http://wiki.i.gov.ph/iwiki/bin/view/PNPKI/How+to+install+
>>> SSL+certificate+in+apache+ubuntu+server
>>>
>>> After reading through this website, I proposed these steps:
>>>
>>> sudo openssl pkcs12 -in /vault/_.example.com.p12 -nocerts -out
>>> /vault/private.pem
>>> sudo openssl rsa -in private.pem -out /vault/key.pem
>>> sudo openssl pkcs12 -in /vault/_.example.com.p12 -clcerts -
>>nokeys -out
>>> /vault/cert.pem
>>> sudo openssl pkcs12 -in /vault/_.example.p12 -nokeys -cacerts -
>>out
>>> /vault/CAchain.pem
>>>
>>> And then modify ./sites-available/site-443.conf with the lines:
>>>
>>> SSLCertificateFile /vault/cert.pem
>>> SSLCertificateKeyFile /vault/keys.pem
>>> SSLCertificateChainFile /vault/CAchain.pem
>>> SSLCACertificateFile /vault/Intermediate-GeoTrust-True
>>> BusinessID-RSA-SHA2-SHA1Root-primary.txt
>>>
>>>
>>> We tried some of the openssl commands in that document, but we 
>>don't have
>>> the password.  The file named "SSL Certificate - 
>>.example.com.txt" is
>>> unused, and that does concern me that I'm either neglecting a 
>>critical file
>>> or needlessly duplicating it.  Before asking the administrator 
>>for a
>>> password, we have questioned whether we are making this 
>>needlessly
>>> difficult and were curious if there is a solution where these 
>>files can be
>>> used directly by apache.
>>>
>>> As you can guess, I'm no expert at encryption.  Getting keys, 
>>for the
>>> purpose of self-education is very expensive.  The extent of my 
>>experience
>>> is limited to creating self-signed certificates back in the 
>good 
>>old days
>>> before the web-browser people decided that was to be forbidden 
>>practice,
>>> and more recently, letsencrypt.org, which operates in a magical 
>>smoke and
>>> mirrors method.  I would like to know if this would be the best 
>>practice
>>> for my friend encrypting his server's traffic.  I am very 
>>grateful for any
>>> feedback.
>>>
>>> Thank you very much!
>>>
>>> Rich
>>>
>>>
>>> ----------------------------------------------------------------
>-
>>----
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>
>
>-------------------------------------------------------------------
>--
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message