Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Apache Software

Apache+LDAP Auth and OpenCA Self-signed Cert Tutorial 10

groundhog00 writes "Posted recently from was an Apache + Basic authentication and self-signed digital certificates article. I thought people might find interest in doing a more scalable solution using parts of the PKI structure with mod_auth_ldap and Apache to communicate with an OpenLDAP server to get basic scalable authentication AND digital certificates using OpenCA as the your homegrown certificate authority. Here are some documents for setting up the certificate authority and getting certificates installed using Internet Explorer 5.x and Netscape 4.x browsers. There will be LDAP configurations for Apache soon, but this is a pretty decent set of documents to start with."
This discussion has been archived. No new comments can be posted.

Apache+LDAP Auth and OpenCA Self-signed Cert Tutorial

Comments Filter:
  • jargon abounds (Score:2, Informative)

    by tps12 ( 105590 )
    authentication...self-signed digital certificates...scalable...PKI...mod_auth_ldap... Apache....OpenLDAP...OpenCA...certificate authority... Netscape

    Wow, what a stream of buzzwords and cryptic jargon.

    WAIT! That was just a joke.

    Seriously, I found the tutorial very informative. I actually have been using basic authentication for my old site, and was noticing that (although my ACLs are short and my pages few) it required a lot of work every time an update or change was made, which was interesting. Often times I would forget certain parts of the procedure and end up with long debugging sessions with my users...not funny. I'd read about LDAP, and it had always seemed very cool, and really underrated. I went through the tutorial and it made everything clear: I will probably convert the old site this weekend; targetting the administrator (who really should be concerned about this stuff) was especially insightful.

  • I found that using only the
    openssl(1) commands, namely

    openssl req -new -newkey rsa:1024 [...]
    openssl x509 [...]
    openssl ca [...]

    being much easier than using OpenCA
    or CA.{pl,sh} _once_ you have made
    your /etc/ssl/openssl.cnf file with
    reasonable values for your CA, and
    probably installed the infrastructure
    (i.e. CA key/cert etc).

    I have built a CA structure consisting
    of a Root CA, two subsidiary CA certs
    (signing the server certificates or
    the client certificates) and many individual
    (server or client) certificates using this
    simple structure and found it working ok.

    I even have a shared "index" and "serial"
    database file for the three CAs, and they
    share a single CRL (signed by the Root CA)
    as well.

    If I could be given a clue how to push this
    through the lameness filter, I would help you
    out posting the directory structure I use and
    the configuration file.
    • Let me see if I can dig up the Subordinate CA documentation I wrote. It takes a little to make one... but its not terribly complicate. - john
    • If anyone has interest in starting a complete CA documentation project, let me know and I'll start getting a package ready. Email: jdwaller_at_cse.buffalo.edu - john
      • What kind of CA administration package will you
        be documenting?
        I am running here just fine under OpenBSD, on
        a Pentium with 75 MHz and 32 MB RAM - no joke.
        And I am just using pure OpenSSL, nothing more,
        because it's so much easier than those CA
        front-ends.

        If you want, I can send you some information
        about how I did this (chained CA structure).
        • absolutely! I'm trying to setup a reasonable knowledge base for CA setup. Not that everyone really has the need for something as complex, but its definately doable if you have the right tools and simplistic view.

          hrmm.. that doesnt sound right. Security-simple
          *shaking head*... you know what I mean.

          - john

"Life sucks, but death doesn't put out at all...." -- Thomas J. Kopp

Working...