Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Colorado, L=Colorado Springs, O=UCCS, OU=Computer Science,
CN=CAfc3/emailAddress=ca@fc3c.csnet.uccs.edu
Validity
Not Before: Feb 15 20:14:55 2005 GMT
Not After : Feb 15 20:14:55 2006 GMT
Subject: C=US, ST=Colorado, L=Colorado Springs,
O=UCCS, OU=Computer Science, CN=serverfc3/emailAddress=webmaster@fc3c.csnet.uccs.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a3:8a:4b:6c:9b:25:0b:df:55:26:7e:4b:5d:3b:
cd:9d:a0:fd:73:0a:7b:00:81:d4:c2:7e:34:01:08:
a2:e1:8a:9e:ec:d2:5e:9d:5c:61:29:05:ef:86:e1:
1d:e6:d1:9e:27:85:2a:e8:7c:13:8e:96:cd:be:03:
d0:d0:23:29:28:cf:97:ea:38:b7:45:5a:8a:8e:c6:
fc:0f:cd:45:a8:ce:82:e5:27:92:d1:1c:c6:7a:51:
30:f4:4a:5a:2b:1d:60:f8:c8:21:f2:0e:0d:20:9d:
be:6d:be:db:1f:80:66:a5:33:e7:0a:ba:ac:78:c8:
a5:5b:e9:07:fb:83:c0:59:11
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DC:FC:85:B7:7F:01:33:EB:81:78:1D:29:A7:BC:A8:77:8F:2F:AD:3E
X509v3 Authority Key Identifier:
keyid:15:CF:EA:59:0D:BE:5E:55:3E:61:B2:B4:A9:2B:28:18:DB:9F:A3:0D
DirName:/C=US/ST=Colorado/L=Colorado Springs/O=UCCS/OU=Computer Science/CN=CAfc3/emailAddress=ca@fc3c.csnet.uccs.edu
serial:00
Signature Algorithm: md5WithRSAEncryption
55:ff:bc:e0:50:92:e7:6c:4b:a3:f4:0f:66:d2:f2:88:cb:13:
e3:20:39:22:4d:21:66:d8:27:70:7f:38:ca:68:4e:25:72:21:
4f:1d:06:9d:3a:fe:34:e1:ae:70:b4:72:7f:d5:fa:df:7a:13:
af:e7:8e:bc:93:bd:09:13:84:06:03:c2:82:b3:8b:e0:0d:30:
26:1d:6d:33:5c:52:9b:7c:b8:19:20:6a:12:92:4c:2c:86:44:
e7:44:d1:8e:4f:42:81:25:ab:1b:0b:8a:15:d5:8c:5c:a5:e2:
b5:52:ea:42:11:bc:bc:00:35:26:f1:23:eb:a9:89:4d:43:f4:
22:7a
Here is a bundle of X.509 certificates of public
Certificate Authorities used in Fedora Core 4. It is located in /etc/pki/tls/cert.pem.
It was generated from the Mozilla root CA list.
"The binary format of a certificate is defined using the ASN.1 notation
[ X208] [PKCS]. This notation defines how to specify the contents, and encoding
rules define how this information is translated into binary form. The binary
encoding of the certificate is defined using Distinguished Encoding Rules
(DER), which are based on the more general Basic Encoding Rules (BER). For
those transmissions which cannot handle binary, the binary form may be translated
into an ASCII form by using Base64 encoding [MIME]. This encoded version
is called PEM encoded (the name comes
from "Privacy Enhanced Mail"),
when placed between begin and end delimiter lines" (cited in http://cs.uccs.edu/manual/ssl/ssl_intro.html)
as follows:
-----BEGIN CERTIFICATE-----
MIID5TCCA06gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBnDELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCENvbG9yYWRvMRkwFwYDVQQHExBDb2xvcmFkbyBTcHJpbmdzMQ0w
CwYDVQQKEwRVQ0NTMRkwFwYDVQQLExBDb21wdXRlciBTY2llbmNlMQ4wDAYDVQQD
EwVDQWZjMzElMCMGCSqGSIb3DQEJARYWY2FAZmMzYy5jc25ldC51Y2NzLmVkdTAe
Fw0wNTAyMTUyMDE0NTVaFw0wNjAyMTUyMDE0NTVaMIGnMQswCQYDVQQGEwJVUzER
MA8GA1UECBMIQ29sb3JhZG8xGTAXBgNVBAcTEENvbG9yYWRvIFNwcmluZ3MxDTAL
BgNVBAoTBFVDQ1MxGTAXBgNVBAsTEENvbXB1dGVyIFNjaWVuY2UxEjAQBgNVBAMT
CXNlcnZlcmZjMzEsMCoGCSqGSIb3DQEJARYdd2VibWFzdGVyQGZjM2MuY3NuZXQu
dWNjcy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKOKS2ybJQvfVSZ+
S107zZ2g/XMKewCB1MJ+NAEIouGKnuzSXp1cYSkF74bhHebRnieFKuh8E46Wzb4D
0NAjKSjPl+o4t0Vaio7G/A/NRajOguUnktEcxnpRMPRKWisdYPjIIfIODSCdvm2+
2x+AZqUz5wq6rHjIpVvpB/uDwFkRAgMBAAGjggEoMIIBJDAJBgNVHRMEAjAAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQU3PyFt38BM+uBeB0pp7yod48vrT4wgckGA1UdIwSBwTCBvoAUFc/qWQ2+
XlU+YbK0qSsoGNufow2hgaKkgZ8wgZwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhD
b2xvcmFkbzEZMBcGA1UEBxMQQ29sb3JhZG8gU3ByaW5nczENMAsGA1UEChMEVUND
UzEZMBcGA1UECxMQQ29tcHV0ZXIgU2NpZW5jZTEOMAwGA1UEAxMFQ0FmYzMxJTAj
BgkqhkiG9w0BCQEWFmNhQGZjM2MuY3NuZXQudWNjcy5lZHWCAQAwDQYJKoZIhvcN
AQEEBQADgYEAVf+84FCS52xLo/QPZtLyiMsT4yA5Ik0hZtgncH84ymhOJXIhTx0G
nTr+NOGucLRyf9X633oTr+eOvJO9CROEBgPCgrOL4A0wJh1tM1xSm3y4GSBqEpJM
LIZE50TRjk9CgSWrGwuKFdWMXKXitVLqQhG8vAA1JvEj66mJTUP0Ino=
-----END CERTIFICATE-----
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Colorado
localityName = Locality Name (eg, city)
localityName_default = Colorado Springs
0.organizationName = Organization Name (eg, company)
0.organizationName_default = UCCS
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Computer Science
Making CA certificate ...
Generating a 1024 bit RSA private key
.....................................................++++++
........................................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase: XXXXXXX
Verifying - Enter PEM pass phrase: XXXXXX
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Colorado]:
Locality Name (eg, city) [Colorado Springs]:
Organization Name (eg, company) [UCCS]:
Organizational Unit Name (eg, section) [Computer Science]:
Common Name (eg, your name or your server's hostname) []:CAfc4
Email Address []:ca@fc4.csnet.uccs.edu
Replace fc4 in the above Common Name and Email with your ufp login name. Same for the following steps.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem
Certificate is to be certified until Sep 25 20:51:04 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Colorado, L=Colorado Springs, O=UCCS, OU=Computer Science,
CN=CAfc4/emailAddress=ca@fc4.csnet.uccs.edu
Validity
Not Before: Sep 25 20:51:04 2005 GMT
Not After : Sep 25 20:51:04 2006 GMT
Subject: C=US, ST=Colorado, L=Colorado Springs, O=UCCS, OU=Computer Science,
CN=fc4.csnet.uccs.edu/emailAddress=webmaster@fc4.csnet.uccs.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:cf:47:e7:92:6e:8b:e8:d7:49:70:11:86:40:ed:
43:47:f5:29:18:b3:ba:48:ad:3d:21:b3:2e:91:ab:
5d:6d:c1:ed:79:18:5a:e7:43:e3:6b:ba:fe:de:4c:
c6:c6:44:8a:93:fd:5d:a7:60:b4:1a:30:88:09:65:
42:d4:bb:cb:02:b3:bc:dc:a2:03:fd:f5:3e:9f:f7:
db:c3:fe:a2:87:dd:c7:e9:4d:04:b6:6a:61:3f:62:
de:e1:b1:d6:63:ea:bf:c3:8f:a7:28:2f:bd:74:7f:
b3:52:e6:8d:8f:e3:80:30:2d:fd:38:30:03:7d:5a:
f6:ff:c5:1e:46:4b:f8:ca:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E1:CD:8D:3F:6E:50:99:BB:F0:30:B6:07:0C:A4:C2:99:02:3F:28:4A
X509v3 Authority Key Identifier:
keyid:75:FD:1F:6F:A2:70:E1:26:73:03:E0:8A:3C:07:E0:DB:C5:76:12:4F
DirName:/C=US/ST=Colorado/L=Colorado Springs/O=UCCS/OU=Computer Science/CN=CAfc4/emailAddress=ca@fc4.csnet.uccs.edu
serial:DC:A6:6A:EF:B8:04:93:3D
Signature Algorithm: sha1WithRSAEncryption
c0:97:c5:ab:b8:28:da:72:45:ea:34:3f:1e:f2:79:6b:51:07:
23:8e:99:c5:8c:68:5a:50:20:85:5e:69:bf:8d:69:61:69:ed:
95:e0:f4:2a:16:bc:16:fd:78:6b:fa:77:d2:8f:29:fe:da:0a:
87:de:81:0f:64:75:fe:6e:f5:3c:5b:d3:57:72:bc:d5:83:22:
81:01:05:bc:d0:21:0d:7e:59:d2:68:2e:57:40:a1:fa:47:81:
95:f4:c9:71:1d:82:0c:cb:21:3b:8e:fb:16:e2:fa:c9:c6:ee:
70:5f:b9:9b:fa:64:ab:6e:62:f9:83:99:bf:e7:00:e3:9f:4e:
3f:4a
-----BEGIN CERTIFICATE-----
MIID8zCCA1ygAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmzELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCENvbG9yYWRvMRkwFwYDVQQHExBDb2xvcmFkbyBTcHJpbmdzMQ0w
CwYDVQQKEwRVQ0NTMRkwFwYDVQQLExBDb21wdXRlciBTY2llbmNlMQ4wDAYDVQQD
EwVDQWZjNDEkMCIGCSqGSIb3DQEJARYVY2FAZmM0LmNzbmV0LnVjY3MuZWR1MB4X
DTA1MDkyNTIwNTEwNFoXDTA2MDkyNTIwNTEwNFowga8xCzAJBgNVBAYTAlVTMREw
DwYDVQQIEwhDb2xvcmFkbzEZMBcGA1UEBxMQQ29sb3JhZG8gU3ByaW5nczENMAsG
A1UEChMEVUNDUzEZMBcGA1UECxMQQ29tcHV0ZXIgU2NpZW5jZTEbMBkGA1UEAxMS
ZmM0LmNzbmV0LnVjY3MuZWR1MSswKQYJKoZIhvcNAQkBFhx3ZWJtYXN0ZXJAZmM0
LmNzbmV0LnVjY3MuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPR+eS
bovo10lwEYZA7UNH9SkYs7pIrT0hsy6Rq11twe15GFrnQ+Nruv7eTMbGRIqT/V2n
YLQaMIgJZULUu8sCs7zcogP99T6f99vD/qKH3cfpTQS2amE/Yt7hsdZj6r/Dj6co
L710f7NS5o2P44AwLf04MAN9Wvb/xR5GS/jK6wIDAQABo4IBLzCCASswCQYDVR0T
BAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNh
dGUwHQYDVR0OBBYEFOHNjT9uUJm78DC2BwykwpkCPyhKMIHQBgNVHSMEgcgwgcWA
FHX9H2+icOEmcwPgijwH4NvFdhJPoYGhpIGeMIGbMQswCQYDVQQGEwJVUzERMA8G
A1UECBMIQ29sb3JhZG8xGTAXBgNVBAcTEENvbG9yYWRvIFNwcmluZ3MxDTALBgNV
BAoTBFVDQ1MxGTAXBgNVBAsTEENvbXB1dGVyIFNjaWVuY2UxDjAMBgNVBAMTBUNB
ZmM0MSQwIgYJKoZIhvcNAQkBFhVjYUBmYzQuY3NuZXQudWNjcy5lZHWCCQDcpmrv
uASTPTANBgkqhkiG9w0BAQUFAAOBgQDAl8WruCjackXqND8e8nlrUQcjjpnFjGha
UCCFXmm/jWlhae2V4PQqFrwW/Xhr+nfSjyn+2gqH3oEPZHX+bvU8W9NXcrzVgyKB
AQW80CENflnSaC5XQKH6R4GV9MlxHYIMyyE7jvsW4vrJxu5wX7mb+mSrbmL5g5m/
5wDjn04/Sg==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E0CD27BB7E7391A8
/B3JCpLAAL+Nx7UhWcFLtFSvZQYAAWTJKdn0PXkd4yww/m4hSzvAnIae8hs/RC3a
qVsjuuVL0KGOLwCvbTpKxC6NUCWgMjsxqzwwCOEOe839uarM1kfL1sszpqtTDMFe
CZwP8yEBBkbe72+Txllq7TVkaKPwVFTmey4T8Bk2iWc5XqYQjefTBRvBsASOlTbq
7x0nWcsLbTuAYLZbWPMweWXkODfg7uXRHOH5OLaaeiI9wFXy8PRyZFaUtKr/IoIy
e0ZVvveU3lBO+56y1KyGkys1ggqCwLvMGddVRpx7qoSL9epzjwQgaS3LndpwzIi0
HF1zaFOe3C66rkENMlh1Iz+bl2YD6bYIzYr0g3A0UZFIM70deuXH9OOioNt4+slb
Ck2zD1iqi8aIUz/CUgY3K5vTiTTuqeMCpvs5LmDOwmau3GfkwEG0Z6VAkifLmhrc
HbzLTk6q4KRCYuHhTq2snXbrxsICqvgSUJG90owgV/B3aQVpS59pi9tiuGK13xji
sH9UHF8NbTKTugApajWK7fUrVIF4duSDlilEgx+VG5KnbPErUWlJcP67emdRHk9Z
GucYpbyoNA5v1BXdcU2lmoBDQm9dyU6+eX0x6ZNopLYELM8rINr/zcFkJ4+xIz9B
eZg+EvrTyHfWRAeYVoj7yZKBLPZrnESC1Pztwx1xSZsPCkJ02H4BzzStZ0v/a3zh
KvfywfHl9hPVfUELfSaKQJaUsqAokEJeEhMlSqIhnjg7DKPqBeR7fw38fw/QUeKO
OSgfBEXAMMS+GA974rw1AvQrDlJOdpmFtB9XfkF+of2pStrcWJcuow==
-----END RSA PRIVATE KEY-----
The first two lines indicated the private key is encrypted with 3DEC encryption method and E0CD27BB7E7391A8 is the encrypted password.
If we use serverPrivateKey.pem as server.key directly, the apache web server will ask for pass phrase during the configuration time and fails if we use apachectl script.
To avoid the problem of entering the pass phrase, we can remove the pass phrase protection on the server private key with the following openssl command.
[root@fc4 tls]# cp fc4ServerPrivateKey.pem fc4ServerPrivateKey.pem.new
[root@fc4 tls]# openssl rsa -in fc4ServerPrivateKey.pem.new -out fc4ServerPrivateKey.pem
Enter pass phrase for fc4ServerPrivateKey.pem.new:
writing RSA key
[root@fc3c ssl.key]# vi fc4ServerPrivateKey.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCjiktsmyUL31UmfktdO82doP1zCnsAgdTCfjQBCKLhip7s0l6d
XGEpBe+G4R3m0Z4nhSrofBOOls2+A9DQIykoz5fqOLdFWoqOxvwPzUWozoLlJ5LR
HMZ6UTD0SlorHWD4yCHyDg0gnb5tvtsfgGalM+cKuqx4yKVb6Qf7g8BZEQIDAQAB
AoGAF8N5sD9fA7mhEuXZJ6QP/a6uBXBpbSpwcw6JmfjaSjGtZDYxX2ZUC/T72DqP
8MFW3OFB2eRlpxuMq+a8CfKCAVupNh8rmEgIGn6qgjasledp4ifFOAwsekC7E3WY
hp1k1X8AUzZ6pS9c849zObhgWZ6vGCBvay00Se23ex7mQAECQQDO1jAA7CT8fjqA
FodWnK0K0UblKa8H1Vm4+4+x4+YV+UZUo11QCEUPkgg3QDki+zIQL9RwMrKK5rF7
eDOhpvwBAkEAymmPMi7EVRzmw8PFq2iVuCPhJt+HEWf9RAEg8RD/mBmwCUKueU/J
n+l9GDzOqlrdDgeDuXwfoop07pzL0x2dEQJAN0MW1EhDoYqAStS6GDQIL8m2bWfz
sd4Y+MmNnPPM97YASoDTX5y2BvD3bPulyGjg+V4uHkQNW/tDFEALW3doAQJBAMnv
zCvNmpQrdFJkc0XR3mTKburgYJlN/M+mrJ20TrsJDaX/f5+JqWa/g8z1hV1Rr246
swEPQ2Re68/OYE7sIXECQQCA5jLmCophfT54L3toKwWzRrwiLXdG/3x5qPQfsNv9
Q+jyRqVIQ46ecavqS803BYRUa2nId7Hx92sWAyhLBaJi
-----END RSA PRIVATE KEY-----
SSLVerifyClient none
<Directory /var/www/html/secure>
SSLVerifyClient require
SSLVerifyDepth 5
SSLCACertificateFile conf/ssl.crt/ca.crt
SSLCACertificatePath conf/ssl.crt
SSLOptions +FakeBasicAuth
SSLRequireSSL
AuthName "UCCS CS Department"
AuthType Basic
AuthUserFile /etc/httpd/conf/httpd.passwd
require valid-user
</Directory>
Add the following line to the /etc/httpd/conf/httpd.passwd
/C=US/ST=Colorado/L=Colorado Springs/O=UCCS/OU=Computer Science/CN=chow/emailAddress=chow@cs.uccs.edu:xxj31ZMTZzkVA
You should replace chow with your own CN and chow@cs.uccs.edu with your
own email address.
The encrypted password xxj31ZMTZzkVA should not be changed. All
entries in httpd.passwd should this exact the same fake password.
No space after A.
If you did not see httpd.passwd, create one
The above client certificate verification using FakeBasicAuth option is
implemented in line1836 of ssl_hook_UserCheck() of ssl_engine_kernel.c.
http://cs.uccs.edu/~cs591/httpd-2.0.54/modules/ssl/ssl_engine_kernel.c
Since we specify in the above "SSLCACertificateFile conf/ssl.crt/ca.crt"
to use the public key in this CA certificate to verify the client certificate,
we need to copy the CA certificate from /usr/share/sshl. Use the following
command:
cp /etc/CA/cacert.pem /etc/httpd/conf/ssl.crt/ca.crt
Make sure to include all subject field of the client certificate. The example in SSL-how-to does not include /ST, /O, and /emailAddress fields and does not seem to work with apache2.0.52 on fc3.
Create a secure directory under /var/www/html. With index.html contains
" <h1> This is a secure area only accessible via client certificate
and subject field match the httpd.passwd list.</h1>
openssl pkcs12 -export -in clientCert.pem -inkey clientKey.pem -out <yourLogin>Client.p12
[root@athena tls]# openssl pkcs12
-export -in clientCert.pem -inkey clientKey.pem -out chowClient.p12
Enter pass phrase for clientKey.pem: XXXXXXX
Enter Export Password: YYYYYYYY
Verifying - Enter Export Password: YYYYYYYY