On 2/2/2017 at 1:27 PM, "Erik Dobák" <erik.do...@gmail.com> wrote: > >well i am still unsure abut the full encryption. i don't like >that. if >there is a problem the overheads grow to analyze the situation. >what about >just signing the messages? i mean if you have messages for all why >do you >want to hide them? >
Because the site has a user authentication portal. The owner of the server does not want user passwords being sent in plaintext. Some portions of the site is not open to the public. There is computational overhead, but they have invested in hardware sufficient for managing that. The problem I am faced is a software/compatibility/standards issue. I wholeheartedly believe in the open internet model though and my own personal sites are available on our favorite port 80, as well as port 443 (via letsencrypt.org) for the paranoid who think the gov't can't see it. >E > >On 2 February 2017 at 17:54, <rich.gre...@hushmail.com> wrote: > >> Hello, >> >> There is a freshly installed (from Ubuntu 16.04 package) apache >server >> running in a large institution that needs to have port 443 >traffic >> enabled. I am helping a friend of mine configure this server >and, at the >> same time, writing a document for reproducing the installation >procedure >> that will be published online. The server has it's own >subdomain and the >> system administrator generated encryption keys to be used for >this server. >> The administrator is talented, but seems to be inexperienced in >open-source >> solutions, so outside help is needed. As a courtesy to my >friend, whom I'm >> helping set this up, I've anonymized the TLD from the filename, >but the >> files are as follows: >> >> _.example.com.p12 >> Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root- >primary.txt >> SSL Certificate - .example.com.txt >> >> I personally do not have easy access to these files, but I can >request >> actions to be performed on them. I had not previously been >acquainted with >> P12 files until now. I found a website that seems to be able to >help me >> export data from the P12 file into a data format that apache can >readily >> use: >> >> http://wiki.i.gov.ph/iwiki/bin/view/PNPKI/How+to+install+ >> SSL+certificate+in+apache+ubuntu+server >> >> After reading through this website, I proposed these steps: >> >> sudo openssl pkcs12 -in /vault/_.example.com.p12 -nocerts -out >> /vault/private.pem >> sudo openssl rsa -in private.pem -out /vault/key.pem >> sudo openssl pkcs12 -in /vault/_.example.com.p12 -clcerts - >nokeys -out >> /vault/cert.pem >> sudo openssl pkcs12 -in /vault/_.example.p12 -nokeys -cacerts - >out >> /vault/CAchain.pem >> >> And then modify ./sites-available/site-443.conf with the lines: >> >> SSLCertificateFile /vault/cert.pem >> SSLCertificateKeyFile /vault/keys.pem >> SSLCertificateChainFile /vault/CAchain.pem >> SSLCACertificateFile /vault/Intermediate-GeoTrust-True >> BusinessID-RSA-SHA2-SHA1Root-primary.txt >> >> >> We tried some of the openssl commands in that document, but we >don't have >> the password. The file named "SSL Certificate - >.example.com.txt" is >> unused, and that does concern me that I'm either neglecting a >critical file >> or needlessly duplicating it. Before asking the administrator >for a >> password, we have questioned whether we are making this >needlessly >> difficult and were curious if there is a solution where these >files can be >> used directly by apache. >> >> As you can guess, I'm no expert at encryption. Getting keys, >for the >> purpose of self-education is very expensive. The extent of my >experience >> is limited to creating self-signed certificates back in the good >old days >> before the web-browser people decided that was to be forbidden >practice, >> and more recently, letsencrypt.org, which operates in a magical >smoke and >> mirrors method. I would like to know if this would be the best >practice >> for my friend encrypting his server's traffic. I am very >grateful for any >> feedback. >> >> Thank you very much! >> >> Rich >> >> >> ----------------------------------------------------------------- >---- >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
