On 7/19/16 2:36 PM, Andrew Miller wrote:
> Phil Pishioneri helped me with an alternative configuration for the
> CosignCrypto directive that avoids the use of hashes, so we got my server
> working with cosign. He can share the details.
The CosignCrypto directive has long supported an alternative
configuration which, I think, is cleaner and easier to maintain, but
isn't documented in the README. Given
CosignCrypto key-file cert-file CA-list
The CA-list parameter can also be a plain text file of all the Root CAs
you trust, concatenated together (in PEM format). Typically only one CA
in the file, unless perhaps you're migrating to a new CA.
So, with that change, you need a way to specify the Intermediate CAs for
your server certificate. The cert-file parameter can be a file of the
server's certificate chain, from the server's certificate up to (and
optionally including) its Root CA. The file starts with the server's
certificate, and the next would be the Intermediate CA that signed the
server's certificate, etc. (again, in PEM format).
A PKCS#7 certificate chain file can be used to create the cert-file.
Using OpenSSL and a binary p7b file (the InCommon Comodo certificate
service provides certs in this format as "PKCS#7 Bin encoded") this
openssl pkcs7 -in hostname.p7b -inform DER -print_certs > cert-file
would take a pkcs7 file like "hostname.p7b" and creates a usable
"cert-file". (Note: the p7b files from Comodo have the certs in the
correct order, but that may not always be true.)
Bonus: if you share that server certificate with mod_ssl for secure
browsing, and are running at least httpd version 2.4.8, you can share
the cert-file and CA-list file (and key-file) with the appropriate SSL
directives, and remove the need for hashed CA filenames with mod_ssl. See
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile
-Phil Pishioneri
Penn State University
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
