[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL Server Certificate

To: silug-discuss@silug.org
Subject: Re: SSL Server Certificate
From: "L. V. Lammert" <lvl@omnitec.net>
Date: Thu, 05 Feb 2004 10:37:39 -0600
In-Reply-To: <1075995077.402261c5afd0d@webmail.siu.edu>
Organization: Southern Illinois Linux Users Group
References: <1075992314.2306.43.camel@thor.linuxmds.com><1075957706.6022.45.camel@lioness.thunderpurr.net><1075959227.226.11.camel@mobile.silbsd.org><1075982808.1177.23.camel@bitman.oviedo.smithconcepts.com><402246EA.9040005@siu.edu><1075992314.2306.43.camel@thor.linuxmds.com>
Reply-To: silug-discuss@silug.org
Sender: silug-discuss-owner@silug.org

At 09:31 AM 2/5/2004, you wrote:

>One of these Perl script systems sets configurations
>by an "admin" sign-in on a web page.  It just
>seems to me that any time passwords are used,
>they should be secure.

Which OS? The SSL certificate itself is more a function of the OS than 
Apache - Apache only uses the cert to initiate the encryption session.

In order to make it work, you must:

1) Configure your OS with an SSL toolkit (OpenSSL, or equivalent), and 
configure Apache with the appropriate module.

2) Create a key and certificate using the toolkit, **OR** generate the key 
and purchase a 'traceable' certificate from a CA.

3) Configure Apache with the reference to the cert in the SSL config, such as:

#
# secure.domain.com
#
<VirtualHost n.n.n.n:443>
Port 443
SSLEnable
SSLCertificateKeyFile <path>/servername.cert.key
SSLCertificateFile <path>/servername.cert.cert
ServerAdmin webmaster@domain.com
ServerName secure.domain.com
DocumentRoot <path>/html
ErrorLog <path>/logs/error_log
TransferLog <path>/logs/access_log
</VirtualHost>

Most current OS OSs will generate the certificate for you (e.g. OpenBSD), 
.. we use Webmin all the time for admin functions and always use the SSL 
functionality.

>Also, I am thinking about having a Perl CGI
>development area where I might want to be the
>only person who can sign on.

If you're the only person doing development (or development is done 
in-house), that's a security job for a network device like a firewall. 
Normally you would not wish to incur the SSL overhead if you don't need it.

>That might work in my favor by discouraging
>people who shouldn't be trying to sign on,
>anyway.

Remember also, do not confuse SSL [data encryption] with login requirements 
[access control] - using an .htpasswd file to restrict access to a 
directory tree is separate and distinct from SSL data encryption.

         HTH,

         Lee

============================================
    Leland V. Lammert                                lvl@omnitec.net
       Chief Scientist                         Omnitec Corporation
   Network/Internet Consultants              www.omnitec.net
============================================

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

References:
- Re: SSL Server Certificate
  - From: Travis Owens <openbook@linuxmds.com>
- What then must we do?
  - From: "Robert G. (Doc) Savage" <dsavage@peaknet.net>
- Re: What then must we do?
  - From: Jonathan <j.e.drews@worldnet.att.net>
- Re: What then must we do?
  - From: "Bryan J. Smith" <b.j.smith@ieee.org>
- SSL Server Certificate
  - From: Chet Langin <clangin@siu.edu>
- Re: SSL Server Certificate
  - From: clangin@siu.edu

Prev by Date: Re: What then must we do?
Next by Date: Re: What then must we do?
Prev by thread: Re: SSL Server Certificate
Next by thread: Re: What then must we do?
Index(es):
- Date
- Thread