Index: openacs-4/packages/acs-core-docs/www/install-ssl.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/install-ssl.html,v diff -u -r1.4 -r1.5 --- openacs-4/packages/acs-core-docs/www/install-ssl.html 5 May 2004 12:36:04 -0000 1.4 +++ openacs-4/packages/acs-core-docs/www/install-ssl.html 11 Jun 2004 10:17:37 -0000 1.5 @@ -1,21 +1,21 @@ -
Debian Users: apt-get install openssl before proceeding.
Make sure nsopenssl.so is installed for AOLserver.
Uncomment this line from config.tcl.
#ns_param nsopenssl ${bindir}/nsopenssl.so -
Prepare a certificate directory for the service.
[service0 etc]$ mkdir /var/lib/aolserver/service0/etc/certs -[service0 etc]$ chmod 700 /var/lib/aolserver/service0/etc/certs -[service0 etc]$ -mkdir /var/lib/aolserver/service0/etc/certs -chmod 700 /var/lib/aolserver/service0/etc/certs
It takes two files to support an SSL connection. The certificate is the public half of the key pair - the server sends the certificate to browser requesting ssl. The key is the private half of the key pair. In addition, the certificate must be signed by Certificate Authority or browsers will protest. Each web browser ships with a built-in list of acceptable Certificate Authorities (CAs) and their keys. Only a site certificate signed by a known and approved CA will work smoothly. Any other certificate will cause browsers to produce some messages or block the site. Unfortunately, getting a site certificate signed by a CA costs money. In this section, we'll generate an unsigned certificate which will work in most browsers, albeit with pop-up messages.
Use an OpenSSL perl script to generate a certificate and key.
[service0 service0]$ cd /var/lib/aolserver/service0/etc/certs -[service0 certs]$ perl /usr/share/ssl/misc/CA -newcert +Installing SSL Support for an OpenACS service Debian Users: apt-get install openssl before proceeding.
Make sure nsopenssl.so is installed for AOLserver.
Uncomment this line from config.tcl.
#ns_param nsopenssl ${bindir}/nsopenssl.so +Prepare a certificate directory for the service.
[$OPENACS_SERVICE_NAME etc]$ mkdir /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs +[$OPENACS_SERVICE_NAME etc]$ chmod 700 /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs +[$OPENACS_SERVICE_NAME etc]$ +mkdir /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs +chmod 700 /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certsIt takes two files to support an SSL connection. The certificate is the public half of the key pair - the server sends the certificate to browser requesting ssl. The key is the private half of the key pair. In addition, the certificate must be signed by Certificate Authority or browsers will protest. Each web browser ships with a built-in list of acceptable Certificate Authorities (CAs) and their keys. Only a site certificate signed by a known and approved CA will work smoothly. Any other certificate will cause browsers to produce some messages or block the site. Unfortunately, getting a site certificate signed by a CA costs money. In this section, we'll generate an unsigned certificate which will work in most browsers, albeit with pop-up messages.
Use an OpenSSL perl script to generate a certificate and key.
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ cd /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs +[$OPENACS_SERVICE_NAME certs]$ perl /usr/share/ssl/misc/CA -newcert Using configuration from /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key ...++++++ .......++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase:Enter a pass phrase for the CA certificate. Then, answer the rest of the questions. At the end you should see this:
Certificate (and private key) is in newreq.pem -[service0 certs]$newreq.pem contains our certificate and private key. The key is protected by a passphrase, which means that we'll have to enter the pass phrase each time the server starts. This is impractical and unnecessary, so we create an unprotected version of the key. Security implication: if anyone gets access to the file keyfile.pem, they effectively own the key as much as you do. Mitigation: don't use this key/cert combo for anything besides providing ssl for the web site.
[root misc]# openssl rsa -in newreq.pem -out keyfile.pem +[$OPENACS_SERVICE_NAME certs]$newreq.pem contains our certificate and private key. The key is protected by a passphrase, which means that we'll have to enter the pass phrase each time the server starts. This is impractical and unnecessary, so we create an unprotected version of the key. Security implication: if anyone gets access to the file keyfile.pem, they effectively own the key as much as you do. Mitigation: don't use this key/cert combo for anything besides providing ssl for the web site.
[root misc]# openssl rsa -in newreq.pem -out keyfile.pem read RSA key Enter PEM pass phrase: writing RSA key -[service0 certs]$To create the certificate file, we take the combined file, copy it, and strip out the key.
[service0 certs]$ cp newreq.pem certfile.pem +[$OPENACS_SERVICE_NAME certs]$To create the certificate file, we take the combined file, copy it, and strip out the key.
[$OPENACS_SERVICE_NAME certs]$ cp newreq.pem certfile.pem [root misc]# emacs certfile.pemStrip out the section that looks like
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,F3EDE7CA1B404997