DO NOT REPLY [Bug 46458] New: Allow dynamic generation of certificates.

Wed, 31 Dec 2008 06:13:58 -0800 

https://issues.apache.org/bugzilla/show_bug.cgi?id=46458

           Summary: Allow dynamic generation of certificates.
           Product: Apache httpd-2
           Version: 2.2.11
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl
        AssignedTo: [email protected]
        ReportedBy: [email protected]


I would suggest a enhancement to mod_ssl, allowing people to specify
SSLCertificateFile in this way:

SSLCertificateFile exec:/path/to/script/or/program

example:

SSLCertificateFile exec:/usr/bin/certgenerate %{SERVER_ADDR}
or
SSLCertificateFile exec:/usr/bin/certgenerate %{SERVER_PORT} %{SERVER_ADDR}
%{REMOTE_PORT} %{REMOTE_ADDR}

The intent is that the server administrator should be able to specify a script
or a program, that dynamically generates the certificate.
Of course all variables that is available prior SSL handshake should of course
be able to use in the SSLCertificateFile statement.

The script or program only needs to output the certificate on STDOUT and then
simply exit.

Example of uses, is for example a server administrator which have many IPs for
the same server, and then wants to give each IP number a own certificate
without having to create a VirtualHost for each IP.
By using a program, it would then be possible to fetch the correct certificate
based on the target IP of the request.

Another use would be the people who use Apache as either a forward proxy, or a
reverse proxy. The certgenerate software can then fetch the certificate from
the target IP by doing a SSL handshake with the IP, and then resigning the
certificate with a own CA key, and then priting the certificate on STDOUT.

This can for example be good for making a SSL scanning forward proxy, in
enviroments where security scanning of outgoing SSL traffic is required.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to