[Openca-Users] (no subject)

[Nicolaie Szabadkai]

Hi, 

might not be new to the group, but i played with apache a bit and found a 
nice solution to strengthen the way the ramanager authenticates itself. 

I have now following apache.conf in ra: 

<VirtualHost ra.mycompany.de:4443> 

  ServerName ra.mycompany.de
  DocumentRoot /RA/apache/htdocs
  ServerAdmin [EMAIL PROTECTED]
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown 
downgrade-1.0 force-response-1.0 

  SSLEngine on
  SSLCertificateFile          /RA/ssl.crt/server.pem
  SSLCertificateKeyFile       /RA/ssl.key/key.pem
  SSLCertificateChainFile     /RA/OpenCA/var/crypto/chain/cacert.crt
  SSLCACertificateFile        /RA/OpenCA/var/crypto/cacerts/cacert.pem
  SSLCARevocationFile         /RA/OpenCA/var/crypto/crls/cacrl.pem
  SSLVerifyClient require
  SSLVerifyDepth  10
  SSLOptions +StdEnvVars +ExportCertData +StrictRequire 

  ErrorLog /var/log/httpd/ra.srv.err.log
  CustomLog /var/log/httpd/ra.srv.req.log "%t %h %{SSL_PROTOCOL}x 
%{SSL_CIPHER}x \"%r\" %b" 

  ScriptAlias "/cgi-bin/" "/RA/apache/cgi-bin/"
  <Directory "/RA/apache/cgi-bin">
      AllowOverride None
      Options FollowSymLinks
      Order deny,allow
      Deny from all
      Allow from 10.1.114 10.100.1 10.1.102
      SSLRequireSSL
      SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "MyCompany" \
              && %{SSL_CLIENT_S_DN_CN} =~ m/ramanager?/ )
  </Directory> 

and so on (except pub) ... 

Now, when I go to ra, I am prompted which of my certificates I want to use 
for authentication! 

I think this might be helpful for anybody running already OpenCA. 

Best regards 

Nick 

PgP-Fingerprint: 044B 65C4 07E3 F47C 9388  1CCE 3B43 038E 437C 1286 

P.S. BTW: I am using SuSE 8.0 an OpenCA 9.1.1. 

==================================================

-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users