Hi, Michael,
I haven't tested nsopenssl with a wildcard SSL cert but I'm assuming
it'll work as I don't think there's anything special that needs to be
done in OpenSSL. The keystore capability you're talking about is
simply a container to manage keys and certs -- it doesn't provide any
special security, though you can (I think) have a password on the
keystore as a whole as well as the normal individual passphrases on
the private keys stored within it.
Private keys for certs on web servers are a problem. If you leave the
passphrase on the key on the cert, you either have to store the
passphrase in plain text in a startup script or someone has to
manually type it in at web server start time. Insecure or
inconvenient. Even in a keystore, the keystore password must be
available somehow in order for the web server to access and use the
key and certificate.
So what you need to figure out is how Apache or IIS are able to access
the group's key and certificate from the keystore so it can be used.
I'll bet the passphrase(s) are stored in plain text somewhere and if
that's the case, then you may as well export them from the keystore,
strip the key of its passphrase and use them in their regular file
format. I've only ever used keys and certs in their normal file format
because it's less opaque and because the keys and certificates rarely
change.
Let me know how you get on, especially if you have any problems with
wildcard certs or if I'm mistaken about keystore capabilities.
/s.
On Oct 31, 2008, at 6:46 PM, Michael Steigman wrote:
Hello list,
We would very much like to use an organizational wildcard cert with
Aolserver which contains a passphrase and is owned/managed by the
org's web group. Typically, the web group logs into servers (Windows
IIS or Apache is what they support) and "installs" the certificate
once and then again whenever the certificate is renewed. Although
this is not my area of expertise, my understanding is that these
other platforms utilize a key store.
I've asked around a bit within the community and so far, the only
suggestion has been to have the group copy the cert to our server
and strip the passphrase out via openssl. I'm uncertain whether the
group owning the cert will go along with this process so I thought
I'd ask the list if there is any other way to handle this situation?
Thanks,
Michael
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]
> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the
Subject: field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]>
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.