Q: How did you create your client certificate?
A: I used this script to create the Cert:
chmod 755 /etc/ssl/private/www_wittywizard_org_ssl.key
chmod 755 /etc/ssl/private/www_wittywizard_org_nk_ssl.key
openssl req -new -newkey rsa:2048 -nodes -out
www_wittywizard_org_ssl.csr -keyout www_wittywizard_org_ssl.key -subj
"/C=US/ST=Oregon/L=Terrebonne/O=Witty Wizard/CN=www.wittywizard.org"
openssl x509 -req -days 365 -in www_wittywizard_org_ssl.csr -signkey
www_wittywizard_org_ssl.key -out www_wittywizard_org_ssl.crt
cp -f
www_wittywizard_org_ssl.crt /etc/ssl/certs/www_wittywizard_org_ssl.crt
cp -f
www_wittywizard_org_ssl.key /etc/ssl/private/www_wittywizard_org_ssl.key
cp -f
www_wittywizard_org_ssl.key /etc/ssl/private/www_wittywizard_org_nk_ssl.key
cat www_wittywizard_org_ssl.key www_wittywizard_org_ssl.crt
> /etc/ssl/certs/www_wittywizard_org_ssl.pem
chmod 400 /etc/ssl/private/www_wittywizard_org_ssl.key
chmod 400 /etc/ssl/private/www_wittywizard_org_nk_ssl.key
Note: www_wittywizard_org_nk_ssl.key was used when I signed it with a
password, otherwise www_wittywizard_org_ssl.key are the same.
I did this to use the certs I created at StartSSL.com, so I created a
signed key, then decrypted it, then I cat'd them as in above, so I did
not get the message to enter password
Q: how did you add it to your browser?
A: I am running it from Qt Creator so I add it to the run argument
--docroot . --http-address 0.0.0.0 --http-port 8080
--https-address=0.0.0.0 --https-port=4430
--ssl-certificate=/etc/ssl/certs/www_wittywizard_org_ssl.crt
--ssl-private-key=/etc/ssl/private/www_wittywizard_org_nk_ssl.key
--ssl-tmp-dh=/etc/ssl/certs/www_wittywizard_org_ssl.pem --ssl-enable-v3
--ssl-client-verification=required --ssl-verify-depth=15
--ssl-ca-certificates=/etc/ssl/certs/www_wittywizard_org_ssl.crt
then I did an https://localhost:4430, but I get the below error, so the
service is never started
Q: Did you also add your CA root certificate to the browser?
A: Yes and No
I did with the ones I created at StartSSL.com, but I did not for the
self-signed, since I can not get the browser to start up, I get an
error:
(asio) use_tmp_dh_file: no start line
Notes:
--ssl-ca-certificates and --ssl-certificate are the same, are they
suppose to be?
There should be detailed instructions on how to do this in the read me
file, do not assume everyone knows how to do this right the first time.
On Mon, 2014-02-10 at 11:51 +0100, Wim Dumon wrote:
> Hi Jeffrey,
>
>
> Client SSL certificates for authentication does not require apache.
>
>
>
> How did you create your client certificate, and how did you add it to
> your browser? Did you also add your CA root certificate to the
> browser?
>
>
> Best regards,
> Wim.
>
>
>
>
> 2014-02-01 Jeffrey Scott Flesher Gmail
> <jeffrey.scott.fles...@gmail.com>:
>
> Do you need to have Apache setup on the Machine if you are
> only use wt-httpd in the methods in your example
> SSLClientAuth?
>
> I have setup a Self Signed Cert, I am using QtCreator with the
> run command:
> --docroot . --http-address 0.0.0.0 --http-port 8080
> --ssl-certificate /etc/httpd/conf/server.crt
> --ssl-private-key /etc/httpd/conf/server.key
> --ssl-tmp-dh=projects/ssl/dh512.pem --ssl-enable-v3
> --ssl-client-verification=required --ssl-verify-depth=15
> --ssl-ca-certificates=/etc/httpd/conf/server.crt
>
> Note: I do not have ssl-tmp-dh, nor do I know if its required,
> but same results without it, in fact, same with just
> --docroot . --http-address 0.0.0.0 --http-port 8080,
> which makes me wonder if I am doing this right.
>
> I used this script to create the Cert:
> cd /etc/httpd/conf/
> sudo openssl genrsa -out server.key 4096
> sudo chmod 600 server.key
> sudo openssl req -new -key server.key -out server.csr
> sudo openssl x509 -req -days 365 -in server.csr -signkey
> server.key -out server.crt
> and it checked out ok, so the paths to the cert are there and
> verified.
>
> I hit the code message:
> Not an SSL session, or no client certificate available. Please
> read the readme file in examples/feature/client-ssl-auth for
> more info.
>
> Then I tried to get more info by doing this:
> Wt::WValidator::Result results =
> sslInfo->clientVerificationResult();
> new Wt::WText("Not an SSL session, or no client certificate
> available. Please read the readme file in
> examples/feature/client-ssl-auth for more info." +
> results.message(), root());
> This didn't work, or its not the right way to do it, any clue
> which one?
>
> After a long recovery from being hit in the head by a Micro
> Meteorite, I am back to working on the Witty Wizard CMS,
> I do not want to have Apache installed for security reasons,
> I want to require a public/private Cert, but do not want it to
> bomb if its not there,
> but if it is, give the user a button to log in using the
> servers users,
> so I can log in as root, and run root commands from the web
> page,
> like Virtualmin or cPanel,
> so I can maintain the server from the CMS,
> so I was wondering if you have a function to authenticate
> using local users on the server its ran from?
>
> If this requires Apache, is there a workaround to make
> something like this work without?
>
> What I need is the most secure way to log in as root and run
> root commands.
>
> Thanks
>
>
>
>
> ------------------------------------------------------------------------------
> WatchGuard Dimension instantly turns raw network data into
> actionable
> security intelligence. It gives you real-time visual feedback
> on key
> security issues and trends. Skip the complicated setup -
> simply import
> a virtual appliance and go from zero to informed in seconds.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> _______________________________________________
> witty-interest mailing list
> witty-interest@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/witty-interest
>
>
>
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> witty-interest mailing list
> witty-interest@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/witty-interest
--
________________________________________________________________________
Jeffrey Scott Flesher
Disabled Gulf War Vet, Retired U.S. Air Force
Special Ops - Helicopter Crew Chief
jeffrey.scott.fles...@gmail.com
Light Wizzard
http://LightWizzard.com/
Dark Wizzard
http://TheDarkWizzard.com/
Vets Help Center
http://VetsHelpCenter.com/
Binary Bit LAN
http://BinaryBit.com/
Twitter
http://twitter.com/TheLightWizzard
Facebook
http://www.facebook.com/LightWizzard
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
witty-interest mailing list
witty-interest@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/witty-interest
