Problems with dynamically generating certificate...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I would wish to dynamically generate a certificate for each request.

I tried with:



SSLCertificateFile prg:/usr/bin/certgenerate

I also tried:

SSLCertificateFile |/usr/bin/certgenerate

and

SSLCertificateFile exec:/usr/bin/certgenerate



But nothing works, it just generates error messages and does not allow the server to start.



How can I specify a certificate dynamically for each request?

(certgenerate fetches the certificate from the original IP, extracts the DN and then creates a new certificate out of this. Then it signs the certificate with my private key, and then prints the completed certificate on STDOUT)



Im currently using Apache as a transparent forward proxy, and to enable virus scanning of SSL traffic, I have configured it to pass SSL traffic unencrypted to a parent proxy which scans traffic for viruses, and this parent then forwards traffic to a another port of apache (a separate virtualhost), that converts the traffic back to SSL and sends it out the internet.



The problem is that this generate a security warning in the browser, even when the CA root is imported. This because the DN host name does not match the real host name, and using a DN of "*" or something like that dosen't help.

I need to dynamically create and sign certificates for each request, so the DN always stays valid.



If this isn't possible, make this a feature request.

Some users would like the possible to dynamically generate a certificate. Especially users who wants to set up a SSL proxy, OR users that is managing a large number of IPs for example a large webhosting and want to dynamically fetch a certificate from a folder, based on the SERVER_ADDR header, instead of configuring about lets say 200 virtualhosts (one for each IP and certificate).


Scanned with Copfilter Version 0.84beta3a (ProxSMTP 1.7)
AntiVirus: ClamAV 0.91.2/8814 - Tue Dec 30 09:43:21 2008
AntiVirus: AVG 7.5.51, engine 442 269.21.0/1296  2008-02-24
by Markus Madlener @ http://www.copfilter.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux