Re: [Openca-Users] web server control with certificate

Fri, 11 Nov 2005 00:53:59 -0800

Hello Christopher,

You can make one certificate per port not IP.
My CA's run on a single server.

5000 Root CA ( public )
5001 Root CA ( private with client authorization )
5005 Services CA ( public )
5006 Services CA ( private with client auth )
5010 Individual CA ( public )
5011 Individual CA ( private with client auth )

Only the public part is reachable outside the firewall ( using Linux Virtual Server ).

Configuration for my Individual CA on Apache 2.x.x

Listen cratos.home.elysium-os.nl:5010
<VirtualHost cratos.home.elysium-os.nl:5010>
  ServerAdmin [EMAIL PROTECTED]
  DocumentRoot /home/openca/online/Elysium_Open_Systems_individual_CA/apache/htdocs/

  LogLevel warn
  LogFormat "%t %h \"%r\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" elysium
  ErrorLog "| /usr/sbin/rotatelogs /var/log/apache2/%Y%m%d_pki.elysium-os.nl_5010_error 86400"
  CustomLog "| /usr/sbin/rotatelogs /var/log/apache2/%Y%m%d_pki.elysium-os.nl_5010_access 86400" elysium

  SSLEngine on
  SSLCipherSuite HIGH
  SSLCertificateFile /etc/apache2/ssl/pki_elysium-os_nl_5010.crt
  SSLCertificateKeyFile /etc/apache2/ssl/pki_elysium-os_nl_5010.key
  SSLCertificateChainFile /etc/apache2/ssl/pki_elysium-os_nl_5010.chain
  SSLOptions +StdEnvVars +CompatEnvVars +ExportCertData

  <Directory /home/openca/online/Elysium_Open_Systems_individual_CA/apache/htdocs/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
  </Directory>

  <Directory /home/openca/online/Elysium_Open_Systems_individual_CA/apache/cgi-bin/>
    AllowOverride None
    Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
  </Directory>
  ScriptAlias /cgi-bin/ /home/openca/online/Elysium_Open_Systems_individual_CA/apache/cgi-bin/

</VirtualHost>

Listen cratos.home.elysium-os.nl:5011
<VirtualHost cratos.home.elysium-os.nl:5011>
  ServerAdmin [EMAIL PROTECTED]
  DocumentRoot /home/openca/offline/Elysium_Open_Systems_individual_CA/apache/htdocs/

  LogLevel warn
  LogFormat "%t %h \"%r\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" elysium
  ErrorLog "| /usr/sbin/rotatelogs /var/log/apache2/%Y%m%d_pki.elysium-os.nl_5011_error 86400"
  CustomLog "| /usr/sbin/rotatelogs /var/log/apache2/%Y%m%d_pki.elysium-os.nl_5011_access 86400" elysium

  SSLEngine on
  SSLCipherSuite HIGH
  SSLCertificateFile /etc/apache2/ssl/pki_elysium-os_nl_5010.crt
  SSLCertificateKeyFile /etc/apache2/ssl/pki_elysium-os_nl_5010.key
  SSLCertificateChainFile /etc/apache2/ssl/pki_elysium-os_nl_5010.chain
  SSLOptions +StdEnvVars +CompatEnvVars +ExportCertData

  SSLCACertificateFile /etc/apache2/ssl/pki_elysium-os_nl_5010.CAchain
  SSLVerifyClient require
  SSLVerifyDepth 10
      
  <Directory /home/openca/offline/Elysium_Open_Systems_individual_CA/apache/htdocs/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
  </Directory>

  <Directory /home/openca/offline/Elysium_Open_Systems_individual_CA/apache/cgi-bin/>
    AllowOverride None
    Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
  </Directory>
  ScriptAlias /cgi-bin/ /home/openca/offline/Elysium_Open_Systems_individual_CA/apache/cgi-bin/

</VirtualHost>

With kind regards,
  Marcel

Marcel Koopmans
Elysium Open Systems


christopher wrote: 
since "one certificate per IP" mean i will able to create only 1
certificate and send to my partners. for those who do not have the
certificate will not be able to access my web server?

so do i still need to use virtual host for my web server?

On Fri, 2005-11-11 at 07:48 +0100, Oliver Welter wrote:
  
Hi Christopher,

    
NameVirtualHost 192.168.1.184:1443
      
First: VirtualName Hosting does not work with SSL - you can defein only 
one Certificate per IP

    
<VirtualHost 192.168.1.184:1443>
    ServerAdmin [EMAIL PROTECTED]
    DocumentRoot /var/www/opencatest.syn
    ServerName opencatest.syn
    ErrorLog /var/log/httpd/test_ca_error_log
    CustomLog /var/log/httpd/test_ca_error_log common
    SSLEngine on
    SSLCertificateFile /usr/local/OpenCA/var/crypto/cacerts/cacert.crt
    SSLCertificateKeyFile /usr/local/OpenCA/var/crypto/keys/cakey.pem
</VirtualHost>
      
You just configured server-side authentificattion - this means that the 
server presents its certiifcate to the client. What you are looking for 
is a "SSL_REQUIRE" directive.

If you just want to check for a valid certificate but
"SSLVerifyClient require" in the definition.
If you want to check for certain attributes in the Certificate you can 
do this with SSLRequire, in this case you must explicitly ewxport the 
SSL Variables in apache with "SSLOptions +StdEnvVars  +ExportCertData"

As this is no OpenCA related question you should better check mod_ssl 
documentation on further questions

Oliver
    



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

.

------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to