Re: Re:non-repudiation
Thanks Robert for writing in. I already have client authentication active for my specified folder.when ever a user wants to access that folder they have to present their certificate... my question was - If i have a web site which requires users to logon with user id / password and valid certificate.. how do i ensure that the certificate user "A" presents, with his user id and password was issued to him and not to any other user it is possible that user "A" logs on to my web site with his user id/ password but uses user "B" certificate... in such a case non-repudiation becomes ill-logical. because this link http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#ToC6 only makes sense if there are few users. I have 5,000 users accessing my site. the flow goes like this The first time user goes to my openca and requests for a certificate.. certificate is issued to the user. The issued certificates are directly stored into my ldap..using ra interface. the ldap now has user id, password and the certificate my web site uses this ldap to authenticate the user and give access to the site. NOW IS SUCH A CASE HOW DO I GO ABOUT ENSURING NON-REPUDIATION. REGARDS SONU __ Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost http://dir.remember.yahoo.com/tribute __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
make certificate command
Hi all I'm trying to generate my fake client certificate for test purposes. For this I'm using the "make certificate" command under apache (which is tied to openssl via modssl). I have a question in the process, when I reach STEP 3 it tells me: "STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt] Certificate Version (1 or 3) [3]: Signature ok subject=/O=telkom/OU=users/CN=Jose Getting CA Private Key Verify: matching certificate & key modulus read RSA key Verify: matching certificate signature ../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil [EMAIL PROTECTED] error 10 at 1 depth lookup:Certificate has expired OK" Does this mean my server.crt wasn't signed by the CA SnakeOil because it has expired?? Thanks in advance Jose Correia __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: sign.sh
Don't know if this is the same but try http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap24sec195.html -Tim On Tuesday 10 September 2002 14:03, you wrote: > Hi... I am new to openssl encryption and I fell on an article > ( sfp548.com ) that help me > write my own certificate... > > http://www.afp548.com/Articles/web/sslcert.html > > however when i attempt to curl a file from modssl.org the file/link > does not exist > > curl -O > http://www.modssl.org/source/cvs/exp/mod_ssl/pkg.mod_ssl/pkg.contrib/sign. > sh > > > > is it possible to get sign.sh from anywhere ? > > > Stephane __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: httpd.conf
Thanks for the tip John, But that shuts down port 443 altogether. I still need it open for my 1 SSL host ServerName secure DocumentRoot /path ServerAdmin root@localhost ServerSignature email # Turning the 3 below on is VERY important SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key # must manually create file first SSLLogFile /var/www/html/WEBSITES/SITE2/logs/ssl.log --- John Ott <[EMAIL PROTECTED]> wrote: > Cuong Tran wrote: > > > The problem I am > > having is that all the > > normal virtual hosts as a result have been SSL > > readable as well. > > > > > # (below) won't make it automatically listen on > the > > virtual server's port. > > Listen 443 > > Change the above to > Listen 192.168.0.3:443 > that will get the result you desire. > > later > John > > begin:vcard > n:Ott;John > tel;pager:202 688 9735 > tel;cell:301 502 4356 > tel;work:202 687 8929 > x-mozilla-html:FALSE > org:Georgetown University;UIS-SNS > version:2.1 > email;internet:[EMAIL PROTECTED] > title:UNIX Systems Programmer > adr;quoted-printable:;;304E St. Mary's > Hall=0D=0A3800 Reservoir Road, NW;Washington > ;DC;20007;USA > x-mozilla-cpt:;-13752 > fn:John Ott > end:vcard > http://www.sold.com.au - SOLD.com.au - Find yourself a bargain! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
sign.sh
Hi... I am new to openssl encryption and I fell on an article ( sfp548.com ) that help me write my own certificate... http://www.afp548.com/Articles/web/sslcert.html however when i attempt to curl a file from modssl.org the file/link does not exist curl -O http://www.modssl.org/source/cvs/exp/mod_ssl/pkg.mod_ssl/pkg.contrib/sign.sh is it possible to get sign.sh from anywhere ? Stephane
Re: httpd.conf
Cuong Tran wrote: > The problem I am > having is that all the > normal virtual hosts as a result have been SSL > readable as well. > > # (below) won't make it automatically listen on the > virtual server's port. > Listen 443 Change the above to Listen 192.168.0.3:443 that will get the result you desire. later John begin:vcard n:Ott;John tel;pager:202 688 9735 tel;cell:301 502 4356 tel;work:202 687 8929 x-mozilla-html:FALSE org:Georgetown University;UIS-SNS version:2.1 email;internet:[EMAIL PROTECTED] title:UNIX Systems Programmer adr;quoted-printable:;;304E St. Mary's Hall=0D=0A3800 Reservoir Road, NW;Washington ;DC;20007;USA x-mozilla-cpt:;-13752 fn:John Ott end:vcard
how to generate an authoritive CA Certificate?
hello,everybody: Glad to talk to you! I happen to be a learner,so,if I have some problems let you feel bad,patient to me,please! When I constructed my web station through apache,I met with some problems! I made the CA Certificate by myself,and issued a server.crt for my web server using this CA,but I found an unexpected warning happened when I tried to connect my apache server through MSIE&netscape.There is a warning message which says my certificate is not issued by Trusted CA. I think the CA generated by myself must be have some problems.My question is:can guys make CA by themselves? If so,the steps I generate my CA are: 1.create a RSA private key for my CA: $openssl genrsa -des3 -out ca.key 1024 2.create a self-signed CA Certificate (X509 structure) with the RSA key of the CA. $openssl req -new -x509 -day 365 -key ca.key -out ca.crt 3.sign the certificate of my server using sign.sh provided by mod_ssl/pkg.contrib/ $sign.sh server.csr Then I got my server.crt issued by my CA Certificate. Is there any problems during the process I generate CA? Any help are appreciated!:) zhaoxd
