[Micronet] Apache, SSL, InCommon

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Apache, SSL, InCommon

Richard DeShong-2
Happy New Year (my 1st micronet post of 2013),
Looking for some help on configuring SSL in Apache on a Win7 box.  Since the documentation typically is based on unix filesystem, and the version doesn't seem the same - at least my file structure is different.  Here's what I have:

Win7
Apache 2.4
Folders: bin and config seems to be relevant.
"bin" has the openssl.exe which I used to create a cert request.
Just received the email confirmation from InCommon, details below.
"conf" has httpd.conf, and an "extra" folder.
"extra" has the httpd-sll.conf file.

In the email I rcv'd, it suggests it's best to use the version that includes intermediates & root.  So I was hoping someone could tell me which one would work best with Apache 2.4.

In httpd.conf, I enabled: ssl_module, socache_shmcb_module (per notes in httpd-ssl.conf)

In httpd-ssl.conf, I have the option of using a combined certificate, or one where the private key in separate.  Which is best, or possible with the InCommon certificates.

Then it asks about Certficate Chain, Authority (CA), and Revocation List, with references to files:
"server-ca.crt", "ca-bundle.crt", "ca-bundle.crl"
So where do I get these files?


Here's the text of the email I rcv'd:
You have successfully enrolled for an InCommon SSL certificate.
     Format(s) most suitable for your server software:
       as X509 Certificate only, Base64 encoded:
       as X509 Intermediates/root only, Base64 encoded
       as X509 Intermediates/root only Reverse, Base64 encoded:
    Other available formats:
       as PKCS#7 Base64 encoded:
       as PKCS#7 Bin encoded:
       as X509, Base64 encoded:

Finally, apologies for the basic questions.  Previously, I was using Microsofts IIS.  And they had a GUI install for the SSL cert.

--
Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
164 Chavez Student Center, Berkeley, CA, 94720-4220
510-642-5123     asc.berkeley.edu

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Apache, SSL, InCommon

Karl R. Grose
Hi Richard,

On Fri, Jan 18, 2013 at 10:50 AM, Richard DESHONG <[hidden email]> wrote:

> In the email I rcv'd, it suggests it's best to use the version that includes
> intermediates & root.  So I was hoping someone could tell me which one would
> work best with Apache 2.4.

Have you looked at this Extended example page:

  https://wikihub.berkeley.edu/x/fAe4Ag

It's also Linux-centric, but has more details about the cert files and
how to use and manipulate them.

--Karl

Karl Grose
CalNetOps

=======

> In httpd.conf, I enabled: ssl_module, socache_shmcb_module (per notes in
> httpd-ssl.conf)
>
> In httpd-ssl.conf, I have the option of using a combined certificate, or one
> where the private key in separate.  Which is best, or possible with the
> InCommon certificates.
>
> Then it asks about Certficate Chain, Authority (CA), and Revocation List,
> with references to files:
> "server-ca.crt", "ca-bundle.crt", "ca-bundle.crl"
> So where do I get these files?
>
>
> Here's the text of the email I rcv'd:
> You have successfully enrolled for an InCommon SSL certificate.
>      Format(s) most suitable for your server software:
>        as X509 Certificate only, Base64 encoded:
>        as X509 Intermediates/root only, Base64 encoded
>        as X509 Intermediates/root only Reverse, Base64 encoded:
>     Other available formats:
>        as PKCS#7 Base64 encoded:
>        as PKCS#7 Bin encoded:
>        as X509, Base64 encoded:
>
> Finally, apologies for the basic questions.  Previously, I was using
> Microsofts IIS.  And they had a GUI install for the SSL cert.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Apache, SSL, InCommon

Graham Patterson
In reply to this post by Richard DeShong-2
Typically Apache on Windows would have the openssl stuff in somewhere like
c:\program files\apache Software Foundation\Apache2.x\conf

(may be (x86) in 64 bit systems)

You may get the root authority certificates with openssl, but the Apache
ssl.conf file will need to have the right paths. Otherwise you have to
put in the bundle and intermediate files as well as your certificate in
a location of your choosing.

Apache has changed things with different versions.

Graham

On 1/18/13 10:50 AM, Richard DESHONG wrote:

> Happy New Year (my 1st micronet post of 2013),
> Looking for some help on configuring SSL in Apache on a Win7 box.  Since
> the documentation typically is based on unix filesystem, and the version
> doesn't seem the same - at least my file structure is different.  Here's
> what I have:
>
> Win7
> Apache 2.4
> Folders: bin and config seems to be relevant.
> "bin" has the openssl.exe which I used to create a cert request.
> Just received the email confirmation from InCommon, details below.
> "conf" has httpd.conf, and an "extra" folder.
> "extra" has the httpd-sll.conf file.
>
> In the email I rcv'd, it suggests it's best to use the version that
> includes intermediates & root.  So I was hoping someone could tell me
> which one would work best with Apache 2.4.
>
> In httpd.conf, I enabled: ssl_module, socache_shmcb_module (per notes in
> httpd-ssl.conf)
>
> In httpd-ssl.conf, I have the option of using a combined certificate, or
> one where the private key in separate.  Which is best, or possible with
> the InCommon certificates.
>
> Then it asks about Certficate Chain, Authority (CA), and Revocation
> List, with references to files:
> "server-ca.crt", "ca-bundle.crt", "ca-bundle.crl"
> So where do I get these files?
>
>
> Here's the text of the email I rcv'd:
> You have successfully enrolled for an InCommon SSL certificate.
>      Format(s) most suitable for your server software:
>        as X509 Certificate only, Base64 encoded:
>        as X509 Intermediates/root only, Base64 encoded
>        as X509 Intermediates/root only Reverse, Base64 encoded:
>     Other available formats:
>        as PKCS#7 Base64 encoded:
>        as PKCS#7 Bin encoded:
>        as X509, Base64 encoded:
>
> Finally, apologies for the basic questions.  Previously, I was using
> Microsofts IIS.  And they had a GUI install for the SSL cert.
>
> --
> Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
> 164 Chavez Student Center, Berkeley, CA, 94720-4220
> 510-642-5123     asc.berkeley.edu <http://asc.berkeley.edu>
>
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>


--
Graham Patterson, Systems Administrator
Lawrence Hall of Science, UC Berkeley   510-643-2222
"...past the iguana, the tyrannosaurus, the mastodon, the mathematical
puzzles, and the meteorite..." - directions to my office.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Apache, SSL, InCommon

Richard DeShong-2
Tomo,
Yes.  I just received approval to add to our monthly bill the cost of another virtual server.  So that's in the works, soon.  For now, I've got the box setup and is working.  Just need to add the SSL cert and work with it.  Will transition to the data center later this term.

Karl,
Thanks for the page.  I'll check it out to see if there are any questions left.

Graham,
Thanks for the details about the other certs.  I'll see what I can find.


On Fri, Jan 18, 2013 at 11:35 AM, Graham Patterson <[hidden email]> wrote:
Typically Apache on Windows would have the openssl stuff in somewhere like
c:\program files\apache Software Foundation\Apache2.x\conf

(may be (x86) in 64 bit systems)

You may get the root authority certificates with openssl, but the Apache
ssl.conf file will need to have the right paths. Otherwise you have to
put in the bundle and intermediate files as well as your certificate in
a location of your choosing.

Apache has changed things with different versions.

Graham

On 1/18/13 10:50 AM, Richard DESHONG wrote:
> Happy New Year (my 1st micronet post of 2013),
> Looking for some help on configuring SSL in Apache on a Win7 box.  Since
> the documentation typically is based on unix filesystem, and the version
> doesn't seem the same - at least my file structure is different.  Here's
> what I have:
>
> Win7
> Apache 2.4
> Folders: bin and config seems to be relevant.
> "bin" has the openssl.exe which I used to create a cert request.
> Just received the email confirmation from InCommon, details below.
> "conf" has httpd.conf, and an "extra" folder.
> "extra" has the httpd-sll.conf file.
>
> In the email I rcv'd, it suggests it's best to use the version that
> includes intermediates & root.  So I was hoping someone could tell me
> which one would work best with Apache 2.4.
>
> In httpd.conf, I enabled: ssl_module, socache_shmcb_module (per notes in
> httpd-ssl.conf)
>
> In httpd-ssl.conf, I have the option of using a combined certificate, or
> one where the private key in separate.  Which is best, or possible with
> the InCommon certificates.
>
> Then it asks about Certficate Chain, Authority (CA), and Revocation
> List, with references to files:
> "server-ca.crt", "ca-bundle.crt", "ca-bundle.crl"
> So where do I get these files?
>
>
> Here's the text of the email I rcv'd:
> You have successfully enrolled for an InCommon SSL certificate.
>      Format(s) most suitable for your server software:
>        as X509 Certificate only, Base64 encoded:
>        as X509 Intermediates/root only, Base64 encoded
>        as X509 Intermediates/root only Reverse, Base64 encoded:
>     Other available formats:
>        as PKCS#7 Base64 encoded:
>        as PKCS#7 Bin encoded:
>        as X509, Base64 encoded:
>
> Finally, apologies for the basic questions.  Previously, I was using
> Microsofts IIS.  And they had a GUI install for the SSL cert.
>
> --
> Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
> 164 Chavez Student Center, Berkeley, CA, 94720-4220
> 510-642-5123     asc.berkeley.edu <http://asc.berkeley.edu>
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>


--
Graham Patterson, Systems Administrator
Lawrence Hall of Science, UC Berkeley   510-643-2222
"...past the iguana, the tyrannosaurus, the mastodon, the mathematical
puzzles, and the meteorite..." - directions to my office.


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.



--
Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
164 Chavez Student Center, Berkeley, CA, 94720-4220
510-642-5123     asc.berkeley.edu

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Apache, SSL, InCommon

Jack King
In reply to this post by Richard DeShong-2
Richard,

I went through the same process configuring SSL for a FMPRO ADVANCED 11
Server
hosted on a MacPro tower running 10.4 at Disabled Students. Campus
security would not allow DSP to run Instant Web Publishing unless they got
SSL going.

You might find the following resource helpful even though it was written
specifically for Mac. I found it to be the most clearly written document.
I was contstantly referring back to it when I would start to get lost in
the process.

Since Windows Servers manage this process through a GUI which makes
installing a certificate almost trivial I was kind of on my own with a Mac
Server but it was interesting learning project. Certain steps need to be
taken in a very particular order before you even get to the final
configuration file edits. It was difficult finding thorough and well
written resources on this subject.

Good Luck


http://hints.macworld.com/article.php?story=20041129143420344


Jack King


> Happy New Year (my 1st micronet post of 2013),
> Looking for some help on configuring SSL in Apache on a Win7 box.  Since
> the documentation typically is based on unix filesystem, and the version
> doesn't seem the same - at least my file structure is different.  Here's
> what I have:
>
> Win7
> Apache 2.4
> Folders: bin and config seems to be relevant.
> "bin" has the openssl.exe which I used to create a cert request.
> Just received the email confirmation from InCommon, details below.
> "conf" has httpd.conf, and an "extra" folder.
> "extra" has the httpd-sll.conf file.
>
> In the email I rcv'd, it suggests it's best to use the version that
> includes intermediates & root.  So I was hoping someone could tell me
> which
> one would work best with Apache 2.4.
>
> In httpd.conf, I enabled: ssl_module, socache_shmcb_module (per notes in
> httpd-ssl.conf)
>
> In httpd-ssl.conf, I have the option of using a combined certificate, or
> one where the private key in separate.  Which is best, or possible with
> the
> InCommon certificates.
>
> Then it asks about Certficate Chain, Authority (CA), and Revocation List,
> with references to files:
> "server-ca.crt", "ca-bundle.crt", "ca-bundle.crl"
> So where do I get these files?
>
>
> Here's the text of the email I rcv'd:
> You have successfully enrolled for an InCommon SSL certificate.
>      Format(s) most suitable for your server software:
>        as X509 Certificate only, Base64 encoded:
>        as X509 Intermediates/root only, Base64 encoded
>        as X509 Intermediates/root only Reverse, Base64 encoded:
>     Other available formats:
>        as PKCS#7 Base64 encoded:
>        as PKCS#7 Bin encoded:
>        as X509, Base64 encoded:
>
> Finally, apologies for the basic questions.  Previously, I was using
> Microsofts IIS.  And they had a GUI install for the SSL cert.
>
> --
> Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
> 164 Chavez Student Center, Berkeley, CA, 94720-4220
> 510-642-5123     asc.berkeley.edu
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This
> means these messages can be viewed by (among others) your bosses,
> prospective employers, and people who have known you in the past.
>


--


--


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Apache, SSL, InCommon

Richard DeShong-2
Thanks Jack.  Some details are helpful.  In my case, I'm not using
self-signed, but the basics still hold.

On Fri, Jan 18, 2013 at 12:47 PM, Jack King <[hidden email]> wrote:

> Richard,
>
> I went through the same process configuring SSL for a FMPRO ADVANCED 11
> Server
> hosted on a MacPro tower running 10.4 at Disabled Students. Campus
> security would not allow DSP to run Instant Web Publishing unless they got
> SSL going.
>
> You might find the following resource helpful even though it was written
> specifically for Mac. I found it to be the most clearly written document.
> I was contstantly referring back to it when I would start to get lost in
> the process.
>
> Since Windows Servers manage this process through a GUI which makes
> installing a certificate almost trivial I was kind of on my own with a Mac
> Server but it was interesting learning project. Certain steps need to be
> taken in a very particular order before you even get to the final
> configuration file edits. It was difficult finding thorough and well
> written resources on this subject.
>
> Good Luck
>
>
> http://hints.macworld.com/article.php?story=20041129143420344
>
>
> Jack King
>
>
>> Happy New Year (my 1st micronet post of 2013),
>> Looking for some help on configuring SSL in Apache on a Win7 box.  Since
>> the documentation typically is based on unix filesystem, and the version
>> doesn't seem the same - at least my file structure is different.  Here's
>> what I have:
>>
>> Win7
>> Apache 2.4
>> Folders: bin and config seems to be relevant.
>> "bin" has the openssl.exe which I used to create a cert request.
>> Just received the email confirmation from InCommon, details below.
>> "conf" has httpd.conf, and an "extra" folder.
>> "extra" has the httpd-sll.conf file.
>>
>> In the email I rcv'd, it suggests it's best to use the version that
>> includes intermediates & root.  So I was hoping someone could tell me
>> which
>> one would work best with Apache 2.4.
>>
>> In httpd.conf, I enabled: ssl_module, socache_shmcb_module (per notes in
>> httpd-ssl.conf)
>>
>> In httpd-ssl.conf, I have the option of using a combined certificate, or
>> one where the private key in separate.  Which is best, or possible with
>> the
>> InCommon certificates.
>>
>> Then it asks about Certficate Chain, Authority (CA), and Revocation List,
>> with references to files:
>> "server-ca.crt", "ca-bundle.crt", "ca-bundle.crl"
>> So where do I get these files?
>>
>>
>> Here's the text of the email I rcv'd:
>> You have successfully enrolled for an InCommon SSL certificate.
>>      Format(s) most suitable for your server software:
>>        as X509 Certificate only, Base64 encoded:
>>        as X509 Intermediates/root only, Base64 encoded
>>        as X509 Intermediates/root only Reverse, Base64 encoded:
>>     Other available formats:
>>        as PKCS#7 Base64 encoded:
>>        as PKCS#7 Bin encoded:
>>        as X509, Base64 encoded:
>>
>> Finally, apologies for the basic questions.  Previously, I was using
>> Microsofts IIS.  And they had a GUI install for the SSL cert.
>>
>> --
>> Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
>> 164 Chavez Student Center, Berkeley, CA, 94720-4220
>> 510-642-5123     asc.berkeley.edu
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe
>> from its mailing list and how to find out about upcoming meetings, please
>> visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and
>> the list's archives can be browsed and searched on the Internet.  This
>> means these messages can be viewed by (among others) your bosses,
>> prospective employers, and people who have known you in the past.
>>
>
>
> --
>
>
> --
>



--
Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
164 Chavez Student Center, Berkeley, CA, 94720-4220
510-642-5123     asc.berkeley.edu

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.