On 7/19/16 2:36 PM, Andrew Miller wrote: > Phil Pishioneri helped me with an alternative configuration for the > CosignCrypto directive that avoids the use of hashes, so we got my server > working with cosign. He can share the details.
The CosignCrypto directive has long supported an alternative configuration which, I think, is cleaner and easier to maintain, but isn't documented in the README. Given CosignCrypto key-file cert-file CA-list The CA-list parameter can also be a plain text file of all the Root CAs you trust, concatenated together (in PEM format). Typically only one CA in the file, unless perhaps you're migrating to a new CA. So, with that change, you need a way to specify the Intermediate CAs for your server certificate. The cert-file parameter can be a file of the server's certificate chain, from the server's certificate up to (and optionally including) its Root CA. The file starts with the server's certificate, and the next would be the Intermediate CA that signed the server's certificate, etc. (again, in PEM format). A PKCS#7 certificate chain file can be used to create the cert-file. Using OpenSSL and a binary p7b file (the InCommon Comodo certificate service provides certs in this format as "PKCS#7 Bin encoded") this openssl pkcs7 -in hostname.p7b -inform DER -print_certs > cert-file would take a pkcs7 file like "hostname.p7b" and creates a usable "cert-file". (Note: the p7b files from Comodo have the certs in the correct order, but that may not always be true.) Bonus: if you share that server certificate with mod_ssl for secure browsing, and are running at least httpd version 2.4.8, you can share the cert-file and CA-list file (and key-file) with the appropriate SSL directives, and remove the need for hashed CA filenames with mod_ssl. See http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile -Phil Pishioneri Penn State University ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss