[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Equifax Secure Certificate installation on RAQ3
- Subject: Re: [cobalt-users] Equifax Secure Certificate installation on RAQ3
- From: "Mark Baker - Cobalt Lists" <cobalt@xxxxxxxxxxxxxxxxxx>
- Date: Sun Sep 17 13:45:15 2000
Great... can someone give me instructions for using VI to edit this part ?
Including all commands, I need the most basic ones even!
e.g.copying httpd.conf as a backup, finding lines e.t.c, and so on.
Thanks, sorry for being so slow about this!
Regards,
Mark Baker
Dark Marketing Ltd
http://www.yoursitehere.co.uk
------------------------------------------------------------------
Low cost Internet Solutions including Hosting,
Domain Registration and Design.
http://www.yoursitehere.co.uk | info@xxxxxxxxxxxxxxxxxx
------------------------------------------------------------------
FREE .co.uk with Unix hosting package 2 to 7 at
http://www.yoursitehere.co.uk !!
------------------------------------------------------------------
----- Original Message -----
From: Tony <isplists@xxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Cc: <mark@xxxxxxxxxxxxxxxxxx>
Sent: Sunday, September 17, 2000 9:39 PM
Subject: RE: [cobalt-users] Equifax Secure Certificate installation on RAQ3
> Jeff,
>
> I have no desire to get into a pissing match with you.
>
> Of course the browser will show Equifax.
> The information I'm passing on that I orginally posted
> to the Developers list came directly from an Equifax Apache engineer.
> The Equifax Secure Server Certificates ARE chained to the Thawte CA.
> =======================================================================
> See: http://www.equifaxsecure.com/ebusinessid/cps.html
>
> 2. Equifax Secure Server Certificates
>
> Equifax Secure Server Certificates are X.509 Certificates with SSL
> Extensions that chain to the Thawte CA and which facilitate secure
> electronic commerce by providing limited authentication of a Subscriber's
> server and permitting SSL encrypted transactions between a Relying Party's
> browser and the Subscriber's server.
> =======================================================================
>
> The orginal Cobalt Raq3 SSL rewrite rules did not allow for another CA
other
> than
> Verisign/Thawte. That's why the Equifax certs don't work right out of the
> box.
> One has to edit the httpd.conf to allow for the Equifax SSLCACertificate.
>
> This is the solution: (cobalt-dev archives 5/16/2000)
>
> =====================================================================
> # Hardcoded, issues with mod_perl and cobalt modules.
> if (/^<\/Virtual/ and (-f "/etc/httpd/ssl/$group")) {
> $ret = ssl_cert_check("/home/sites/$group/certs/");
> if ($ret=~/^2/o) {
> $PerlConfig .= "Listen $ip:443\n";
> $PerlConfig .= "<VirtualHost $ip:443>\n";
> $PerlConfig .= "SSLengine on\n";
> $PerlConfig .= "SSLCertificateFile
> /home/sites/$group/certs/certificate\n";
> $PerlConfig .= "SSLCertificateKeyFile
> /home/sites/$group/certs/key\n";
> $PerlConfig .= "SSLCACertificateFile
> /home/sites/$group/certs/cacert\n"; #ADDED THIS LINE
> $PerlConfig .= join('', @ssl_conf);
> } elsif (ssl_cert_check("/home/sites/home/certs/") =~ /^2/ ) {
> $PerlConfig .= "Listen $ip:443\n";
> $PerlConfig .= "<VirtualHost $ip:443>\n";
> $PerlConfig .= "SSLengine on\n";
> $PerlConfig .= "SSLCertificateFile
> /home/sites/home/certs/certificate\n";
> $PerlConfig .= "SSLCertificateKeyFile
> /home/sites/home/certs/key\n";
> $PerlConfig .= "SSLCACertificateFile
> /home/sites/home/certs/cacert\n"; # <=========ADDED THIS LINE
> $PerlConfig .= join('', @ssl_conf);
> } else {
> print STDERR "Site $group has invalid certificate:
$ret\n";
> =====================================================================
>
> SSLCACertificate file is the second cert that Equifax sends you. I saved
> mine as 'cacert' per Apache's naming scheme.
> The Apache SSL on the Raq needs this as it does not automatically
recognize
> Equifax. Actually the Certificate Authority
> behind Equifax is Thawte. Once you save the CA Cert file, add the two
lines
> above and make sure you do a full reboot you
> should be set to go.
>
> > -----Original Message-----
> > From: cobalt-developers-admin@xxxxxxxxxxxxxxx
> > [mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of Tarren
> > Sent: Monday, May 15, 2000 10:19 AM
> > To: cobalt-developers@xxxxxxxxxxxxxxx
> > Subject: [cobalt-developers] SSL Certs from Equifax
> >
> >
> > Tony,
> >
> > Thanks for the tip for cheap SSL Certs at equifax.
> > I have now received three pairs of keys; one for the server-admin and
two
> > for two separate secure sites.
> >
> > Can you please outline the changes in the httpd.conf file, as having the
> > Certs in two parts is confusing me; I don't understand why I've got two
> > parts for each site!
> >
> > I presume it's this bit that needs changing: httpd.conf ->
> >
> > # Hardcoded, issues with mod_perl and cobalt modules.
> > if (/^<\/Virtual/ and (-f "/etc/httpd/ssl/$group")) {
> > $ret = ssl_cert_check("/home/sites/$group/certs/");
> > if ($ret=~/^2/o) {
> > $PerlConfig .= "Listen $ip:443\n";
> > $PerlConfig .= "<VirtualHost $ip:443>\n";
> > $PerlConfig .= "SSLengine on\n";
> > $PerlConfig .= "SSLCertificateFile
> > /home/sites/$group/certs/certificate\n";
> > $PerlConfig .= "SSLCertificateKeyFile
> > /home/sites/$group/certs/key\n";
> > $PerlConfig .= join('', @ssl_conf);
> > } elsif (ssl_cert_check("/home/sites/home/certs/") =~ /^2/ )
{
> > $PerlConfig .= "Listen $ip:443\n";
> > $PerlConfig .= "<VirtualHost $ip:443>\n";
> > $PerlConfig .= "SSLengine on\n";
> > $PerlConfig .= "SSLCertificateFile
> > /home/sites/home/certs/certificate\n";
> > $PerlConfig .= "SSLCertificateKeyFile
> > /home/sites/home/certs/key\n";
> > $PerlConfig .= join('', @ssl_conf);
> > } else {
> > print STDERR "Site $group has invalid
> > certificate: $ret\n";
> >
> > on 4/5/00 3:19 pm, Tony at isplists@xxxxxxxxxxxx wrote:
> >
> > Regards,
> >
> > Tarren.
> >
> > > Well there is a little extra work to do...You need to add an
> > extra line in
> > > the http.conf to point to their CA cert. I'm sure Cobalt will
> > get around to
> > > patching this. Otherwise it seems to work fine.
> > >
>
>
>
>
> > -----Original Message-----
> > From: cobalt-users-admin@xxxxxxxxxxxxxxx
> > [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Jeff Lasman
> > Sent: Sunday, September 17, 2000 2:27 PM
> > To: cobalt-users@xxxxxxxxxxxxxxx
> > Subject: Re: [cobalt-users] Equifax Secure Certificate installation on
> > RAQ3
> >
> >
> > Tony wrote:
> >
> > > The CA for Equifax Certs is actually Thawte.
> >
> > Really? See below...
> >
> > > You'll need to edit your httpd.conf correctly
> > > in order to not receive that error.
> > > Try https://www.registerforless.net/
> > > and see if you get the same error. It's using an Equifax Cert.
> >
> > Here's what my browser returns for "https://www.registerforless.net/":
> >
> > > This Certificate belongs to: This Certificate was issued by:
> > > www.registerforless.net Equifax Secure E-Business CA
> > > admin@xxxxxxxxxxxxxxxxxxxxxxx Equifax Secure Inc
> > > DOMAIN REGISTRATION US
> > > Global Profit Solutions
> > > IRVING, TX, US
> > >
> > > Serial Number: 03:EF
> > > This Certificate is valid from Mon Apr 17, 2000 to Tue Apr 17, 2001
> > > Certificate Fingerprint:
> > > DC:20:AE:8F:4E:60:AA:3D:F7:EC:48:34:FF:39:D9:BA
> >
> > Sure doesn't look like Thawte to me.
> >
> > Jeff
> > --
> > Jeff Lasman <jblists@xxxxxxxxxxxxx>
> > nobaloney.net
> > P. O. Box 52672
> > Riverside, CA 92517
> > voice: (909) 787-8589 * fax: (909) 782-0205
> >
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >