|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2004
/
2004-10
/
: Trivial questions about certs
[
Ideal Configuration? / Jordan Lederman ... ]
[
error copy client cont: Unknown error: 0 / ... ]
: Trivial questions about certs
"Reid Johnson" <rjohnson(at)corenetwork.ca> |
2004-10-18 19:34:57 |
[ FULL ]
|
Hi everyone,
I am new to pound and have a few questions. I have two firewalls that run
active passive, the IP my clients connect to is virtual. So here are my
questions:
1. Can I run the same cert on both my firewalls?
2. Do I have to generate the cert on the firewall or can I import it from
another machine?
3. Do I have to have openssl installed on the firewalls or does pound handle
the backend stuff after the certs are installed.
4. I have specified /usr/local/etc/pound/certs/cert.pem where should the key
go?
So I must apologies for asking these ridiculous questions but so far I
haven't been able to find an answer.
Thanks,
Reid
|
|
|
RE: : Trivial questions about certs
Brook Stevens <bstevens(at)Cleanwise.com> |
2004-10-18 19:22:36 |
[ FULL ]
|
I had problems finding out what exactly a pem file was, so if you can't find
it a pem file looks like this:
-----BEGIN RSA PRIVATE KEY-----
[encoded key]
-----END RSA PRIVATE KEY-----
[empty line]
-----BEGIN CERTIFICATE-----
[encoded certificate]
-----END CERTIFICATE-----
[empty line]
[...]
|
|
|
RE: : Trivial questions about certs
Michael DeGusta <degusta(at)gmail.com> |
2004-10-18 19:42:16 |
[ FULL ]
|
1. Yes, you can use the same cert on as many servers as you want.
2. You can generate the cert anywhere.
3. OpenSSL needs to be installed on each machine running pound.
4. The .pem file should contain both the cert and the key (in that order).
Hope that helps!
-----Original Message-----
From: Reid Johnson [mailto:rjohnson(at)corenetwork.ca]
Sent: Monday, October 18, 2004 10:35 AM
To: pound(at)apsis.ch
Subject: : Trivial questions about certs
Hi everyone,
I am new to pound and have a few questions. I have two firewalls that run
active passive, the IP my clients connect to is virtual. So here are my
questions:
1. Can I run the same cert on both my firewalls?
2. Do I have to generate the cert on the firewall or can I import it from
another machine?
3. Do I have to have openssl installed on the firewalls or does pound handle
the backend stuff after the certs are installed.
4. I have specified /usr/local/etc/pound/certs/cert.pem where should the key
go?
So I must apologies for asking these ridiculous questions but so far I
haven't been able to find an answer.
Thanks,
Reid
|
|
|
RE: : Trivial questions about certs
Michael DeGusta <degusta(at)gmail.com> |
2004-10-18 20:11:36 |
[ FULL ]
|
Interesting - my pems are actually in the other order and without the
empty lines, so mileage may vary. Since we're on the topic & this was
something i had trouble tracking down, if you happen to have a chained
cert (from instantSSL, etc), the intermediate cert should go in the
pem too. Here's what mine look like:
-----BEGIN CERTIFICATE-----
[encoded certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[encoded intermediate certificate]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[encoded key]
-----END RSA PRIVATE KEY-----
[...]
|
|
|
RE: : Trivial questions about certs
"John D" <jwdavid(at)ibizvision.com> |
2004-10-18 21:59:57 |
[ FULL ]
|
Hi,
It has been our experience that the order stuff (key/certs) appear in the PEM
doesn't matter to Pound (or OpenSSL for that matter).
Just my 2 cents.
John D.
********** Original Email *********
** To: pound(at)apsis.ch
** From: Michael DeGusta <degusta(at)gmail.com>
** Date: Mon, 18 Oct 2004 11:11:36
**********
Interesting - my pems are actually in the other order and without the
empty lines, so mileage may vary. Since we're on the topic & this was
something i had trouble tracking down, if you happen to have a chained
cert (from instantSSL, etc), the intermediate cert should go in the
pem too. Here's what mine look like:
-----BEGIN CERTIFICATE-----
[encoded certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[encoded intermediate certificate]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[encoded key]
-----END RSA PRIVATE KEY-----
[...]
|
|
|
Re: : Trivial questions about certs
Robert Segall <roseg(at)apsis.ch> |
2004-10-19 08:45:13 |
[ FULL ]
|
On Monday 18 October 2004 19.34, Reid Johnson wrote:[...]
As many as you wish - the file is opened once (read-only), read and closed.
[...]
You can generate it anywhere you wish. It is just a file that sits somewhere
on your disk, you don't need to - or even can - "import" it. Given that it
includes your private key you may want to protect it a bit...
[...]
If you compiled with shared libraries then you'll need them on the machine
where Pound runs.
[...]
Wherever you wish in the file - the order is not important. In older Pound
versions the ordering had to be respected, but in the latest versions this
requirement has been dropped. Just make sure you have at least a certificate
and its private key in there, possibly followed by extra chain certificates
if you used them.
[...]
I hope the above helps a bit.[...]
|
|
|
|
