Apache+LDAP Auth and OpenCA Self-signed Cert Tutorial

groundhog00 writes "Posted recently from was an Apache + Basic authentication and self-signed digital certificates article. I thought people might find interest in doing a more scalable solution using parts of the PKI structure with mod_auth_ldap and Apache to communicate with an OpenLDAP server to get basic scalable authentication AND digital certificates using OpenCA as the your homegrown certificate authority. Here are some documents for setting up the certificate authority and getting certificates installed using Internet Explorer 5.x and Netscape 4.x browsers. There will be LDAP configurations for Apache soon, but this is a pretty decent set of documents to start with."

jargon abounds

[tps12]

authentication...self-signed digital certificates...scalable...PKI...mod_auth_ldap... Apache....OpenLDAP...OpenCA...certificate authority... Netscape

Wow, what a stream of buzzwords and cryptic jargon.

WAIT! That was just a joke.

Seriously, I found the tutorial very informative. I actually have been using basic authentication for my old site, and was noticing that (although my ACLs are short and my pages few) it required a lot of work every time an update or change was made, which was interesting. Often times I would forget certain parts of the procedure and end up with long debugging sessions with my users...not funny. I'd read about LDAP, and it had always seemed very cool, and really underrated. I went through the tutorial and it made everything clear: I will probably convert the old site this weekend; targetting the administrator (who really should be concerned about this stuff) was especially insightful.

Re:CmdrTaco - US Flag Desecrator & Anti-Delewa

[tps12]

Wow, you're right. 6 red, 6 white. And Taco won't change it without a big fight.

Maybe someone should write a patch?

OpenCA?

[mirabilos]

I found that using only the
openssl(1) commands, namely

openssl req -new -newkey rsa:1024 [...]
openssl x509 [...]
openssl ca [...]

being much easier than using OpenCA
or CA.{pl,sh} _once_ you have made
your /etc/ssl/openssl.cnf file with
reasonable values for your CA, and
probably installed the infrastructure
(i.e. CA key/cert etc).

I have built a CA structure consisting
of a Root CA, two subsidiary CA certs
(signing the server certificates or
the client certificates) and many individual
(server or client) certificates using this
simple structure and found it working ok.

I even have a shared "index" and "serial"
database file for the three CAs, and they
share a single CRL (signed by the Root CA)
as well.

If I could be given a clue how to push this
through the lameness filter, I would help you
out posting the directory structure I use and
the configuration file.

Re:OpenCA?

[groundhog00]

Let me see if I can dig up the Subordinate CA documentation I wrote. It takes a little to make one... but its not terribly complicate. - john

Re:OpenCA?

[groundhog00]

If anyone has interest in starting a complete CA documentation project, let me know and I'll start getting a package ready. Email: jdwaller_at_cse.buffalo.edu - john

CA Documentation Project (was: Re:OpenCA?)

[mirabilos]

What kind of CA administration package will you
be documenting?
I am running here just fine under OpenBSD, on
a Pentium with 75 MHz and 32 MB RAM - no joke.
And I am just using pure OpenSSL, nothing more,
because it's so much easier than those CA
front-ends.

If you want, I can send you some information
about how I did this (chained CA structure).

Re:CA Documentation Project (was: Re:OpenCA?)

[groundhog00]

absolutely! I'm trying to setup a reasonable knowledge base for CA setup. Not that everyone really has the need for something as complex, but its definately doable if you have the right tools and simplistic view.

hrmm.. that doesnt sound right. Security-simple
*shaking head*... you know what I mean.

- john