FW: Client Certificates (Help!)
am 12.01.2005 04:02:22 von dashley-----Original Message-----
From: David T. Ashley [mailto:dashley@abi-consulting.com]
Sent: Tuesday, January 11, 2005 9:57 PM
To: john mcnicholas
Subject: RE: Client Certificates (Help!)
Hi John,
The following script shows how I generated my keys and certificates.
Notice the exports to .p12. The .p12 is sucked in by the browser (Internet
Explorer in my case).
If you have any more questions or if I've done something wrong in the script
below please write back.
The general form of the script was lifted from a web page somewhere (can't
remember which one).
Also, if you want the relevant lines from my Apache configuration file,
please write back.
Thanks, Dave.
----------
#!/bin/bash
#
echo "Generating certification authority key ..."
openssl genrsa -rand /var/log/messages -out ecollab_ca.key 2048
echo ""
#
echo "Generating certification authority certificate. Information entered"
echo "should reflect the authority. Organization should be E-COLLAB.COM,"
echo "and organizational unit should be CA."
openssl req -new -x509 -days 3660 -key ecollab_ca.key -out ecollab_ca.crt
echo ""
#
echo "Generating Apache webserver key ..."
openssl genrsa -rand /var/log/messages -out www_ecollab_com.key 2048
echo ""
#
echo "Generating Apache webserver key signing request. Any information"
echo "entered should reflect the server ..."
openssl req -new -key www_ecollab_com.key -out www_ecollab_com.csr
echo ""
#
echo "Signing the apache webserver key with the certification authority"
echo "certificate."
openssl x509 -req -days 3660 -in www_ecollab_com.csr -CA ecollab_ca.crt \
-CAkey ecollab_ca.key -CAcreateserial -out www_ecollab_com.crt
echo ""
#
echo "Generating a key for administrative web page clients."
openssl genrsa -rand /var/log/messages -out client_admin.key 2048
echo ""
#
echo "Generating a certificate signing request for administrative"
echo "client. Any information should have an organizational unit"
echo "of \"Admin\"".
openssl req -new -key client_admin.key -out client_admin.csr
echo ""
#
echo "Signing the administrative client key with the certification
authority"
echo "key."
openssl x509 -req -days 3660 -in client_admin.csr -CA ecollab_ca.crt \
-CAkey ecollab_ca.key -CAcreateserial -out client_admin.crt
echo ""
#
echo "Exporting the Admin client certificate/key in a form usable by
browsers."
#openssl x509 -in client_admin.crt -text
openssl pkcs12 -export -clcerts -in client_admin.crt -inkey
client_admin.key -out client_admin.p12
echo ""
#
echo "Generating a key for Cequent web page clients."
openssl genrsa -rand /var/log/messages -out client_cequent.key 2048
echo ""
#
echo "Generating a certificate signing request for Cequent"
echo "client. Any information should have an organizational unit"
echo "of \"Cequent\"".
openssl req -new -key client_cequent.key -out client_cequent.csr
echo ""
#
echo "Signing the Cequent client key with the certification authority"
echo "key."
openssl x509 -req -days 3660 -in client_cequent.csr -CA ecollab_ca.crt \
-CAkey ecollab_ca.key -CAcreateserial -out client_cequent.crt
echo ""
#
echo "Exporting the Cequent client certificate/key in a form usable by
browsers."
#openssl x509 -in client_cequent.crt -text
openssl pkcs12 -export -clcerts -in client_cequent.crt -inkey
client_cequent.key -out client_cequent.p12
echo ""
#
echo "Generating a key for Ford web page clients."
openssl genrsa -rand /var/log/messages -out client_ford.key 2048
echo ""
#
echo "Generating a certificate signing request for Ford"
echo "client. Any information should have an organizational unit"
echo "of \"Ford\"".
openssl req -new -key client_ford.key -out client_ford.csr
echo ""
#
echo "Signing the Ford client key with the certification authority"
echo "key."
openssl x509 -req -days 3660 -in client_ford.csr -CA ecollab_ca.crt \
-CAkey ecollab_ca.key -CAcreateserial -out client_ford.crt
echo ""
#
echo "Exporting the Ford client certificate/key in a form usable by
browsers."
#openssl x509 -in client_cequent.crt -text
openssl pkcs12 -export -clcerts -in client_ford.crt -inkey
client_ford.key -out client_ford.p12
echo ""
#
#End of script.
> -----Original Message-----
> From: john mcnicholas [mailto:jomcn@mail.com]
> Sent: Tuesday, January 11, 2005 7:45 PM
> To: dashley@abi-consulting.com
> Subject: Re: Client Certificates (Help!)
>
>
> Hi Dave,
>
> I hope you don't mind me writing to you directly, but I was hoping you
> could give some details as to how you solved your problem.
>
> I am currently struggling to get the client certificates to work using
> apache2 on OS X, and I believe one of my problems is the format of the
> client certificate so I'm curious to hear your solution. (plus any
> advice you might have)
>
> Again sorry to bother you, but I've been spinning my wheels for a while
> now. Thanks for your time.
>
> John
>
> //----------------------------------------------------------
>
> Hi Mr. Waters,
>
> I got it all straightened out. I had just not converted to the right
> key/certificate format, etc.
>
> Did, however, run into a bug where Apache won't support POST with client
> authentication. I've been advised to downgrade Apache.
>
> Dave.
>
> > -----Original Message-----
> > From: owner-modssl-users@modssl.org
> > [mailto:owner-modssl-users@modssl.org]On Behalf Of P Larkin Waters
> > Sent: Tuesday, January 04, 2005 6:11 AM
> > To: modssl-users@modssl.org
> > Subject: Re: Client Certificates (Help!)
> >
> >
> > did you use a real certificate?
> > if you used a test certificate did you install the test certificate
> > authority?
> > I'm sure you know that test certificates don't work with the CA's that
> > come preinstalled in most browsers.
> >
> > ____
> > Theory is when you know something, but it doesn't work.
> > Practice is when something works, but you don't know why.
> > Programmers combine theory and practice:
> > Nothing works and they don't know why.
> > --Unknown
> > ----- Original Message -----
> > From: "David T. Ashley"
> > To:
> > Sent: Tuesday, December 21, 2004 7:29 PM
> > Subject: Client Certificates (Help!)
> >
> >
> > > Hi,
> > >
> > > Does anyone have any good URLs or instructions about how to create
> > client
> > > certificates for browsers so that only browsers with the certificate
> > can
> > > connect to the server (or view certain directories on the server)?
> > >
> > > I tried one procedure I found on the web, and it ended up with
> Apache
> > > complaining about the keys and certificates it had. The best I
> could
> > do
> > > myself was a self-signed SSL certificate (which worked fine), but
> the
> > client
> > > certificates didn't work out.
> > >
> > > I'll try any procedures anyone supplies, and if that doesn't work
> I'll
> > post
> > > detailed information about what I tried and what went wrong.
> > >
> > > The site, by the way, is www.e-collab.com. The self-signed SSL
> > certificate
> > > for Apache worked fine. It was just the more advanced stuff that
> > eluded me.
> > >
> > > Thanks a lot!
> > >
> > > Merry Christmas!
> > >
> > > Dave Ashley.
> > >
> > >
> ____________________________________________________________ __________
> > > Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> > > User Support Mailing List
> modssl-users@modssl.org
> > > Automated List Manager
> majordomo@modssl.org
> > >
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
> >
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org