/ Zope / Apsis / Pound Mailing List / Archive / 2004 / 2004-05 / RE: SSL Certificate issue, the solution, another problem

[ << ] [ >> ]

[ Initial setup, SSL / "Jay West" ... ] [ thanks! And a question on failed ip addresses / ... ]

RE: SSL Certificate issue, the solution, another problem
"Martin Schubert" <Martin(at)Amalien45.de>		 2004-05-27 22:48:01 [ FULL ] 
As the Microsoft Certificate Console exports a pkcs12 file the only thing
you have to do is remove the passphrase and convert it:
 
openssl pkcs12 -in cert.pfx -out cert.pem -nodes
 
Thats it ! 
Seems like my only problem was not beeing familiar with openssl *g*
 
When I configure NAT on the gateway the ssl site is working well, with pound
it works with a browser but when using a script I get 
a http 500 error. Seems like the host header is not beeing transfered or
something like that.
If someone ever had the same problem let me know the answer, if not no
problem.
As every ssl site need it's own ip address I can live with the NAT solution.
 
Thanks for your suggestions


 

-----Original Message-----
From: Jonathan Cyr [mailto:cyrj(at)cyr.info] 
Sent: Wednesday, May 26, 2004 8:36 PM
To: pound(at)apsis.ch
Subject: Re: SSL Certificate issue


I just went through this SSL stuff... here are some suggestions...

1) Since Pound uses OpenSSL as a resource, the problems you'll have, are
with SSL keys and certificates, and how they're generated.  These Pound
folks aren't necessarily keen on answering OpenSSL questions.  OpenSSL's
mailing list is quite good, as well, at http://www.openssl.org

2) Make sure Pound is working with a self-generated certificate, as per the
man pages.  That way you can rule out Pound and its config files as a
problem.

3) Pound is expecting a single file (I use combo1.pem) with a decoded
private key followed by a PEM-encoded certificate (This file is declared in
the Listen directive).  Two distinct blocks of encryption.  If you need
intermediate certificates or a complete chain, they are added to the end, in
sequence.

4) The certificate needs to be in PEM format, OpenSSL provides tools for
conversion from DER, an older standard.  (and I guess NET).  OpenSSL has
commands to test for PEM.

- To test for PEM: openssl x509 -text -in filename       --- This will yield
a certificate in English from Encrypted PEM
- To test for DER: openssl x509 -inform der -text -in filename     --- This
will yield a certificate in English from Encrypted DER
- To convert DER to PEM: openssl x509 -inform der -in filename -out
filename.pem     --- Will convert from DER to PEM, then test
- To decrypt private key: openssl rsa -in foo.key >> cert.pem     ---
This
will prompt you for a passphrase and decode the file in cert.pem, the -nodes
flag in the self-signed command (Pound man pages) provides this for the
self-signed version

- All of the above commands, are from O'Reilly's Linux Security Cookbook,
available on Safari at http://safari.oreilly.com

5) These filename extensions dont seem to matter, they all become .pem's

6) OpenSSL provides a client command to query your setup, with feedback...
very helpful for debugging.

7) Pound and OpenSSL have no direct or ongoing linkage.  OpenSSL's dev
resources are accessed during compilation of Pound, and that's it.  OpenSSL
seems to be a toolkit, a resource (ie Apache mod_ssl) and a generator for
all of the pieces of the SSL puzzle.  Pound uses OpenSSL more like a IMAP
mail server would, rather than how Apache does.

It's not easy to find your way.  The relationship between Pound, SSL, and
the OpenSSL tool, is lacking in documentation, fortunately both have very
helpful message boards, 

Good Luck,

Jon Cyr
cyrj(at)cyr.info

Chris Gamache wrote: 

The process is a bit rusty in my mind. I don't have to do it often. Please

forgive the rough edges. This is one of those close-enough(tm) suggestions.
:)



Export your cert. (I think you might have to export it in IIS 4
compatibility

mode...) Make sure you export the whole thing, public and private key. IIS
will

give you some warnings about storing your private key in the exported
format.

You can take those into consideration as you do this. Then use openssl to

convert it...



# openssl rsa -inform NET -in iisfile.key -out private.pem



And there you have it... 



HTH,



CG



--- Martin Schubert  <mailto:Martin(at)Amalien45.de>
<Martin(at)Amalien45.de>
wrote:

  

Hi,

I want to use Pound as a reverse proxy for my IIS.

As the IIS has one SSL site I need to use the webserver certificate

generated by a private windows CA 

for the pound ssl-wraper. 

How do I convert the certificate so that pound will accept it ? I've been

trying for days now so please give a hint  



thanx ,

Martin



    







	

		
[...]
MailBoxer