[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Equifax Secure Certificate installation on RAQ3

Subject: RE: [cobalt-users] Equifax Secure Certificate installation on RAQ3
From: "Tony" <isplists@xxxxxxxxxxxx>
Date: Sun Sep 17 13:40:21 2000

Jeff,

I have no desire to get into a pissing match with you.

Of course the browser will show Equifax.
The information I'm passing on that I orginally posted
to the Developers list came directly from an Equifax Apache engineer.
The Equifax Secure Server Certificates ARE chained to the Thawte CA.
=======================================================================
See: http://www.equifaxsecure.com/ebusinessid/cps.html

2. Equifax Secure Server Certificates

Equifax Secure Server Certificates are X.509 Certificates with SSL
Extensions that chain to the Thawte CA and which facilitate secure
electronic commerce by providing limited authentication of a Subscriber's
server and permitting SSL encrypted transactions between a Relying Party's
browser and the Subscriber's server.
=======================================================================

The orginal Cobalt Raq3 SSL rewrite rules did not allow for another CA other
than
Verisign/Thawte. That's why the Equifax certs don't work right out of the
box.
One has to edit the httpd.conf to allow for the Equifax SSLCACertificate.

This is the solution: (cobalt-dev archives 5/16/2000)

=====================================================================
 # Hardcoded, issues with mod_perl and cobalt modules.
        if (/^<\/Virtual/ and (-f "/etc/httpd/ssl/$group")) {
            $ret = ssl_cert_check("/home/sites/$group/certs/");
            if ($ret=~/^2/o) {
                $PerlConfig .= "Listen $ip:443\n";
                $PerlConfig .= "<VirtualHost $ip:443>\n";
                $PerlConfig .= "SSLengine on\n";
                $PerlConfig .= "SSLCertificateFile
/home/sites/$group/certs/certificate\n";
                $PerlConfig .= "SSLCertificateKeyFile
/home/sites/$group/certs/key\n";
                $PerlConfig .= "SSLCACertificateFile
/home/sites/$group/certs/cacert\n";  #ADDED THIS LINE
                $PerlConfig .= join('', @ssl_conf);
            } elsif (ssl_cert_check("/home/sites/home/certs/") =~ /^2/ ) {
                $PerlConfig .= "Listen $ip:443\n";
                $PerlConfig .= "<VirtualHost $ip:443>\n";
                $PerlConfig .= "SSLengine on\n";
                $PerlConfig .= "SSLCertificateFile
/home/sites/home/certs/certificate\n";
                $PerlConfig .= "SSLCertificateKeyFile
/home/sites/home/certs/key\n";
                $PerlConfig .= "SSLCACertificateFile
/home/sites/home/certs/cacert\n";     			# <=========ADDED THIS LINE
                $PerlConfig .= join('', @ssl_conf);
            } else {
                print STDERR "Site $group has invalid certificate: $ret\n";
=====================================================================

SSLCACertificate file is the second cert that Equifax sends you. I saved
mine as 'cacert' per Apache's naming scheme.
The Apache SSL on the Raq needs this as it does not automatically recognize
Equifax. Actually the Certificate Authority
behind Equifax is Thawte. Once you save the CA Cert file, add the two lines
above and make sure you do a full reboot you
should be set to go.

> -----Original Message-----
> From: cobalt-developers-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of Tarren
> Sent: Monday, May 15, 2000 10:19 AM
> To: cobalt-developers@xxxxxxxxxxxxxxx
> Subject: [cobalt-developers] SSL Certs from Equifax
>
>
> Tony,
>
> Thanks for the tip for cheap SSL Certs at equifax.
> I have now received three pairs of keys; one for the server-admin and two
> for two separate secure sites.
>
> Can you please outline the changes in the httpd.conf file, as having the
> Certs in two parts is confusing me; I don't understand why I've got two
> parts for each site!
>
> I presume it's this bit that needs changing: httpd.conf ->
>
> # Hardcoded, issues with mod_perl and cobalt modules.
>         if (/^<\/Virtual/ and (-f "/etc/httpd/ssl/$group")) {
>             $ret = ssl_cert_check("/home/sites/$group/certs/");
>             if ($ret=~/^2/o) {
>                 $PerlConfig .= "Listen $ip:443\n";
>                 $PerlConfig .= "<VirtualHost $ip:443>\n";
>                 $PerlConfig .= "SSLengine on\n";
>                 $PerlConfig .= "SSLCertificateFile
> /home/sites/$group/certs/certificate\n";
>                 $PerlConfig .= "SSLCertificateKeyFile
> /home/sites/$group/certs/key\n";
>                 $PerlConfig .= join('', @ssl_conf);
>             } elsif (ssl_cert_check("/home/sites/home/certs/") =~ /^2/ ) {
>                 $PerlConfig .= "Listen $ip:443\n";
>                 $PerlConfig .= "<VirtualHost $ip:443>\n";
>                 $PerlConfig .= "SSLengine on\n";
>                 $PerlConfig .= "SSLCertificateFile
> /home/sites/home/certs/certificate\n";
>                 $PerlConfig .= "SSLCertificateKeyFile
> /home/sites/home/certs/key\n";
>                 $PerlConfig .= join('', @ssl_conf);
>             } else {
>                 print STDERR "Site $group has invalid
> certificate: $ret\n";
>
> on 4/5/00 3:19 pm, Tony at isplists@xxxxxxxxxxxx wrote:
>
> Regards,
>
> Tarren.
>
> > Well there is a little extra work to do...You need to add an
> extra line in
> > the http.conf to point to their CA cert. I'm sure Cobalt will
> get around to
> > patching this. Otherwise it seems to work fine.
> >




> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Jeff Lasman
> Sent: Sunday, September 17, 2000 2:27 PM
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-users] Equifax Secure Certificate installation on
> RAQ3
>
>
> Tony wrote:
>
> > The CA for Equifax Certs is actually Thawte.
>
> Really?  See below...
>
> > You'll need to edit your httpd.conf correctly
> > in order to not receive that error.
> > Try https://www.registerforless.net/
> > and see if you get the same error. It's using an Equifax Cert.
>
> Here's what my browser returns for "https://www.registerforless.net/":
>
> > This Certificate belongs to:      This Certificate was issued by:
> >   www.registerforless.net           Equifax Secure E-Business CA
> >   admin@xxxxxxxxxxxxxxxxxxxxxxx     Equifax Secure Inc
> >   DOMAIN REGISTRATION               US
> >   Global Profit Solutions
> >   IRVING, TX, US
> >
> > Serial Number: 03:EF
> > This Certificate is valid from Mon Apr 17, 2000 to Tue Apr 17, 2001
> > Certificate Fingerprint:
> >   DC:20:AE:8F:4E:60:AA:3D:F7:EC:48:34:FF:39:D9:BA
>
> Sure doesn't look like Thawte to me.
>
> Jeff
> --
> Jeff Lasman <jblists@xxxxxxxxxxxxx>
> nobaloney.net
> P. O. Box 52672
> Riverside, CA  92517
> voice: (909) 787-8589  *  fax: (909) 782-0205
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>

Follow-Ups:
- Re: [cobalt-users] Equifax Secure Certificate installation on RAQ3
  - From: Mark Baker - Cobalt Lists
- Re: [cobalt-users] Equifax Secure Certificate installation on RAQ3
  - From: Jeff Lasman

References:
- Re: [cobalt-users] Equifax Secure Certificate installation on RAQ3
  - From: Jeff Lasman

Prev by Date: Re: [cobalt-users] Where do I go to access the Cobalt-Users List Archive?
Next by Date: Re: [cobalt-users] Equifax Secure Certificate installation on RAQ3
Previous by thread: Re: [cobalt-users] Equifax Secure Certificate installation on RAQ3
Next by thread: Re: [cobalt-users] Equifax Secure Certificate installation on RAQ3

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index