/ Zope / Apsis / Pound Mailing List / Archive / 2004 / 2004-05 / SSL Certificate issue

[ << ] [ >> ]

[ dedicated backends and fall-backs possible? / ... ] [ Exploratory questions (long) / "Jay ... ]

SSL Certificate issue
"Martin Schubert" <Martin(at)Amalien45.de>
2004-05-20 14:19:54 [ FULL ]
I want to use Pound as a reverse proxy for my IIS.
As the IIS has one SSL site I need to use the webserver certificate
generated by a private windows CA 
for the pound ssl-wraper. 
How do I convert the certificate so that pound will accept it ? I've been
trying for days now so please give a hint  

thanx ,

Re: SSL Certificate issue
Chris Gamache <cgg007(at)yahoo.com>
2004-05-20 21:27:54 [ FULL ]
The process is a bit rusty in my mind. I don't have to do it often. Please
forgive the rough edges. This is one of those close-enough(tm) suggestions. :)

Export your cert. (I think you might have to export it in IIS 4 compatibility
mode...) Make sure you export the whole thing, public and private key. IIS will
give you some warnings about storing your private key in the exported format.
You can take those into consideration as you do this. Then use openssl to
convert it...

# openssl rsa -inform NET -in iisfile.key -out private.pem

And there you have it... 



--- Martin Schubert <Martin(at)Amalien45.de> wrote:[...]


Re: SSL Certificate issue
Jonathan Cyr <cyrj(at)cyr.info>
2004-05-26 20:35:36 [ FULL ]
I just went through this SSL stuff... here are some suggestions...

1) Since Pound uses OpenSSL as a resource, the problems you'll have, are 
with SSL keys and certificates, and how they're generated.  These Pound 
folks aren't necessarily keen on answering OpenSSL questions.  OpenSSL's 
mailing list is quite good, as well, at http://www.openssl.org

2) Make sure Pound is working with a self-generated certificate, as per 
the man pages.  That way you can rule out Pound and its config files as 
a problem.

3) Pound is expecting a single file (I use combo1.pem) with a decoded 
private key followed by a PEM-encoded certificate (This file is declared 
in the Listen directive).  Two distinct blocks of encryption.  If you 
need intermediate certificates or a complete chain, they are added to 
the end, in sequence.

4) The certificate needs to be in PEM format, OpenSSL provides tools for 
conversion from DER, an older standard.  (and I guess NET).  OpenSSL has 
commands to test for PEM.

- To test for PEM: openssl x509 -text -in filename       --- This will 
yield a certificate in English from Encrypted PEM
- To test for DER: openssl x509 -inform der -text -in filename     --- 
This will yield a certificate in English from Encrypted DER
- To convert DER to PEM: openssl x509 -inform der -in filename -out 
filename.pem     --- Will convert from DER to PEM, then test
- To decrypt private key: openssl rsa -in foo.key >> cert.pem     --- 
This will prompt you for a passphrase and decode the file in cert.pem, 
the -nodes flag in the self-signed command (Pound man pages) provides 
this for the self-signed version

- All of the above commands, are from O'Reilly's Linux Security 
Cookbook, available on Safari at http://safari.oreilly.com

5) These filename extensions dont seem to matter, they all become .pem's

6) OpenSSL provides a client command to query your setup, with 
feedback... very helpful for debugging.

7) Pound and OpenSSL have no direct or ongoing linkage.  OpenSSL's dev 
resources are accessed during compilation of Pound, and that's it.  
OpenSSL seems to be a toolkit, a resource (ie Apache mod_ssl) and a 
generator for all of the pieces of the SSL puzzle.  Pound uses OpenSSL 
more like a IMAP mail server would, rather than how Apache does.

It's not easy to find your way.  The relationship between Pound, SSL, 
and the OpenSSL tool, is lacking in documentation, fortunately both have 
very helpful message boards,

Good Luck,

Jon Cyr

Chris Gamache wrote: