It turns out the approach I described did in fact work. The password was requested from the administrator and the site behaved well. The only deviation I had to make was that the SSLCACertificateFile parameter interpreted a space in the filename as delimiting a second invalid parameter. The file was renamed to eliminate all whitespace and the SSLCACertificateFile parameter was adjusted to the new filename. Server appears to be running fine. Thanks On 2/2/2017 at 6:31 PM, rich.greder@xxxxxxxxxxxx wrote: > >On 2/2/2017 at 1:27 PM, "Erik Dobák" <erik.dobak@xxxxxxxxx> wrote: >> >>well i am still unsure abut the full encryption. i don't like >>that. if >>there is a problem the overheads grow to analyze the situation. >>what about >>just signing the messages? i mean if you have messages for all >why >>do you >>want to hide them? >> > >Because the site has a user authentication portal. The owner of >the server does not want user passwords being sent in plaintext. >Some portions of the site is not open to the public. There is >computational overhead, but they have invested in hardware >sufficient for managing that. The problem I am faced is a >software/compatibility/standards issue. > >I wholeheartedly believe in the open internet model though and my >own personal sites are available on our favorite port 80, as well >as port 443 (via letsencrypt.org) for the paranoid who think the >gov't can't see it. > >>E >> >>On 2 February 2017 at 17:54, <rich.greder@xxxxxxxxxxxx> wrote: >> >>> Hello, >>> >>> There is a freshly installed (from Ubuntu 16.04 package) apache >>server >>> running in a large institution that needs to have port 443 >>traffic >>> enabled. I am helping a friend of mine configure this server >>and, at the >>> same time, writing a document for reproducing the installation >>procedure >>> that will be published online. The server has it's own >>subdomain and the >>> system administrator generated encryption keys to be used for >>this server. >>> The administrator is talented, but seems to be inexperienced in >>open-source >>> solutions, so outside help is needed. As a courtesy to my >>friend, whom I'm >>> helping set this up, I've anonymized the TLD from the filename, >>but the >>> files are as follows: >>> >>> _.example.com.p12 >>> Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root- >>primary.txt >>> SSL Certificate - .example.com.txt >>> >>> I personally do not have easy access to these files, but I can >>request >>> actions to be performed on them. I had not previously been >>acquainted with >>> P12 files until now. I found a website that seems to be able >to >>help me >>> export data from the P12 file into a data format that apache >can >>readily >>> use: >>> >>> http://wiki.i.gov.ph/iwiki/bin/view/PNPKI/How+to+install+ >>> SSL+certificate+in+apache+ubuntu+server >>> >>> After reading through this website, I proposed these steps: >>> >>> sudo openssl pkcs12 -in /vault/_.example.com.p12 -nocerts -out >>> /vault/private.pem >>> sudo openssl rsa -in private.pem -out /vault/key.pem >>> sudo openssl pkcs12 -in /vault/_.example.com.p12 -clcerts - >>nokeys -out >>> /vault/cert.pem >>> sudo openssl pkcs12 -in /vault/_.example.p12 -nokeys -cacerts - >>out >>> /vault/CAchain.pem >>> >>> And then modify ./sites-available/site-443.conf with the lines: >>> >>> SSLCertificateFile /vault/cert.pem >>> SSLCertificateKeyFile /vault/keys.pem >>> SSLCertificateChainFile /vault/CAchain.pem >>> SSLCACertificateFile /vault/Intermediate-GeoTrust-True >>> BusinessID-RSA-SHA2-SHA1Root-primary.txt >>> >>> >>> We tried some of the openssl commands in that document, but we >>don't have >>> the password. The file named "SSL Certificate - >>.example.com.txt" is >>> unused, and that does concern me that I'm either neglecting a >>critical file >>> or needlessly duplicating it. Before asking the administrator >>for a >>> password, we have questioned whether we are making this >>needlessly >>> difficult and were curious if there is a solution where these >>files can be >>> used directly by apache. >>> >>> As you can guess, I'm no expert at encryption. Getting keys, >>for the >>> purpose of self-education is very expensive. The extent of my >>experience >>> is limited to creating self-signed certificates back in the >good >>old days >>> before the web-browser people decided that was to be forbidden >>practice, >>> and more recently, letsencrypt.org, which operates in a magical >>smoke and >>> mirrors method. I would like to know if this would be the best >>practice >>> for my friend encrypting his server's traffic. I am very >>grateful for any >>> feedback. >>> >>> Thank you very much! >>> >>> Rich >>> >>> >>> ---------------------------------------------------------------- >- >>---- >>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>> >>> > > >------------------------------------------------------------------- >-- >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|