On July 19, 2011 10:16 , Christopher Johnson <coolsnow23@xxxxxxxxx> wrote:
I have a bunch of CA's that I need to configure. I have everything setup correctly in the httpd-ssl.conf file referencing where my CA's are located. The issue is from what I have read these need to be symlinked to work in linux. Is that the case? How do i do it? I haven't seen much documentation on how it's supposed to be setup.
Symbolic links are not important, in and of themselves. What is important is that the CA certificates can be found. There are several ways to accomplish this.
mod_ssl (a part of Apache HTTP Server) uses OpenSSL for handling certificates and Certificate Authorities (CA). OpenSSL, in turn, needs to be able to find the Certificate Authority certificates when it is presented with a certificate that it needs to verify. There are three main ways for OpenSSL to find Certificate Authority certificates:
1. If you are configuring the CA certificate that was used to sign the certificate used by your server, then store the CA certificate in a file by itself and use the SSLCertificateChainFile directive to have mod_ssl tell OpenSSL name of this file. You do not need to do anything beyond this.
If you are using certificate for client authentication (that is, certificates supplied by users' web browsers to the web server to prove the users' identities), or if you are proxying content and using certificates to verify the identities of the various front-end and back-end servers involved, then...
2. All CA certificates can be concatenated into a single file, and mod_ssl can give OpenSSL the name of this file (see the documentation for the SSLCACertificateFile, SSLProxyCACertificateFile, and SSLProxyMachineCertificateFile directives). This is easy to configure, but it can be difficult or error-prone to add, replace, or remove CA certificates in this file, especially as the number of CAs gets large. Or,
3. All CA certificates can be stored in a single directory, with each CA certificate having its own file in the directory. mod_ssl gives OpenSSL the path to this directory (see the documentation for the SSLCACertificatePath, SSLProxyCACertificatePath, and SSLProxyMachineCertificatePath directives). Since it would be inefficient (especially when there are a large number of CAs) for OpenSSL to open and read every file in the directory every time it needs to find a CA certificate, OpenSSL expects to have each file be named with the hash of the CA certificate that is in it, followed by a period and a serial number that starts at 0 and gets incremented for each file containing a certificate that has the same hash. If OpenSSL gets a certificate that it needs to verify, signed by a CA certificate with hash 3f77a2b5, then it will look first in the file 3f77a2b5.0 and if the certificate in that file is not the one used to sign the certificate that is being verified, it will then look in the files 3f77a2b5.1, 3f77a2b5.2, and so on.
When you install multiple CA certificates in a single directory, you can calculate the hash for each file (NAME-OF-CA-FILE) by using the command:
openssl x509 -noout -hash -in NAME-OF-CA-FILEOnce you know the hash (HASH), you can then rename the file so that OpenSSL can find it:
mv NAME-OF-CA-FILE HASH.0However, this is a little unfriendly for the system administrator, since it is not obvious what CA certificates are present. So many people choose to keep the original name of the file and create a symbolic link to that file for OpenSSL:
ln -s NAME-OF-CA-FILE HASH.0This way, OpenSSL can find the correct CA certificate efficiently, and system administrators can know what CA certificates are present.
If you choose to use a directory for storing CA certificates one-per-file and you also choose to use symbolic links (instead of renaming the files), then you can use the c_rehash script that comes with OpenSSL to create and maintain the symbolic links. This script may be difficult to find on some systems, run "locate c_rehash" to find out if it is installed in a non-obvious location. If you don't have c_rehash on your system, you can download the OpenSSL source code from http://openssl.org/ and unpack it. You'll then find c_rehash in the tools subdirectory.
c_rehash takes a single command line argument: the patch to the directory containing the CA certificate files. I usually run it like this:
cd /path/to/CA/cert/directory c_rehash .The documentation for Apache HTTP Server 2.2 also mentions a Makefile that comes as a part of mod_ssl that can be used to create the symbolic links. However, I can't find this Makefile in the Apache HTTP Server source code; I suspect the documentation may be out of date in this regard.
I hope this helps. -- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|