Hi,

it more often happens that preinstalled root-certs in webbrowsers are
going to expire during the next three years. This means that long period
certs e.g. with a lifetime of 3 years will not be accepted in those
browsers (e.g. FF, Opera, etc.).

The standard solution is to deliver a so called "SubCA" or
"Intermedia-Cert" next to the server-cert when a user opens a domain in
the browser.

How can this be done with pound? Please provide a config example if a
solution is known.


Thanks 
JJP

Jens Parree wrote:[...]

Pound serves PEM format certs, so if you need an intermediary cert, the 
formula is:

cat server.key server.crt intermediate.crt > server.pem

I do that sort of thing to make my certs - works fine.  Nothing special 
required in the config file.

Regards,[...]

Well,

what I did is:

1. Remove Pass from privatekey: $ openssl rsa -in private.key -out
private.pem
2. $ cat private.pem cert.crt intermediate.pem > poundcert.pem
3. start pound with example config:
----------------------------
ListenHTTPS
  Address 0.0.0.0
  Port    8081
  #Cert    "/path/to/server/cert_and_key.pem"
  Cert    "/etc/pound/newfinalcert.pem"
  ClientCert 0
  #CAlist "/path/to/ca/cert.pem"
  #VerifyList "/path/to/ca/cert.pem"
  #pass along https hint
  AddHeader "X-Forwarded-Proto: https"
  Service
    BackEnd
      Address 127.0.0.1
       Port   443
      End
   End
End
----------------------------
4. restarted pound: done
5. getting error: 
----------------------------
30/May/2008 15:56:15 +0200: line 26: unknown directive "  ClientCert 0"
- aborted
----------------------------


Any Idea?


Thanks.
J.


Jens Parree wrote:[...]
period[...]
in[...]

Pound serves PEM format certs, so if you need an intermediary cert, the 
formula is:

cat server.key server.crt intermediate.crt > server.pem

I do that sort of thing to make my certs - works fine.  Nothing special 
required in the config file.

Regards,[...]

arg,... removed this from config file,... now pound seems to start properly.

ClientCert 0

Sorry, missed that.


-----Ursprüngliche Nachricht-----
Von: Jens Parree 
Gesendet: Freitag, 30. Mai 2008 16:02
An: 'pound(at)apsis.ch'
Betreff: AW: [Pound Mailing List] SubCA/Intermedia-Cert with pound

Well,

what I did is:

1. Remove Pass from privatekey: $ openssl rsa -in private.key -out private.pem
2. $ cat private.pem cert.crt intermediate.pem > poundcert.pem
3. start pound with example config:
----------------------------
ListenHTTPS
  Address 0.0.0.0
  Port    8081
  #Cert    "/path/to/server/cert_and_key.pem"
  Cert    "/etc/pound/newfinalcert.pem"
  ClientCert 0
  #CAlist "/path/to/ca/cert.pem"
  #VerifyList "/path/to/ca/cert.pem"
  #pass along https hint
  AddHeader "X-Forwarded-Proto: https"
  Service
    BackEnd
      Address 127.0.0.1
       Port   443
      End
   End
End
----------------------------
4. restarted pound: done
5. getting error: 
----------------------------
30/May/2008 15:56:15 +0200: line 26: unknown directive "  ClientCert 0" -
aborted
----------------------------


Any Idea?


Thanks.
J.


Jens Parree wrote:[...]

Pound serves PEM format certs, so if you need an intermediary cert, the 
formula is:

cat server.key server.crt intermediate.crt > server.pem

I do that sort of thing to make my certs - works fine.  Nothing special 
required in the config file.

Regards,[...]

Just to enable others to search this mailinglist for a solution to the
SubCA/Intermedia-Cert with pound issue. Here is a simple explanation and
small guide.

-------------------------------------------
It more often happens that preinstalled rootCA-certs in webbrowsers are
going to expire soon. This means that long period certs e.g. with a
lifetime of 3 years will not be accepted in those browsers (e.g.
Firefox, Opera, etc.).

The solution is to create a chain of certificates which will be provided
to the client when the user requests a domain via the browser.

This certificate chain utilizes a SubCA (intermediate-cert) to extent
the validity period of the browsers preinstalled rootCA-cert. This will
make browers not display cert errors due to invalid validity periods or
in close future timing out root-CA cert's.

Example (three year wildcard-cert, pound-loadblancer,
SubCA-/intermediate-cert):

You created a private key and a CSR to request a wildcard-cert with a
validity of three years for the Domain (Common Name) "*.mydomain.com"
and received a signed cert from a public certificate authority (e.g.
verisign, trustcenter, etc.). If the rootCA-certificate used by
webbrowsers for the selected certificate authority (CA) is going to
expire in less then the given three years of you new cert, you are
required to provide a SubCA-cert/intermediate-cert to your websites
visitors.

In this case a certificate chain will be build up to be used in a single
file which can be delivered by pound like this:

1. Download the rootCA-Cert (, e.g. Class 2) from your certificate
authorities (CA) website (pem-format), matching the type of Server-Cert
you received from the CA.

2. Download the SubCA-Cert or intermediate-cert from your certificate
authorities (CA) website (pem-format), matching the type of Server-Cert
you received from the CA.

3. Remove the Passphrase from your private key file, e.g. like this:

          $ openssl rsa -in private.key -out privatekey.pem
          You will be asked to enter your private keys passphrase.

4. Now combine your private key and all certs to a certificate chain
e.g. like this (order of keys and certs is important):

          $ cat privatekey.pem wildcardcert.crt intermediatecert.pem
rootcacert.pem > finalcert.pem

5. Modifiy your pound.cfg ListenHTTPS e.g. like this:

          ListenHTTPS
             Address 0.0.0.0
             Port 443
             Cert "/etc/pound/newfinalcert.pem"
             #pass along https hint
             AddHeader "X-Forwarded-Proto: https"
             Service
                BackEnd
                   Address 127.0.0.1
                   Port 80
                End
             End
          End

6. Restart pound using one of the following commands (depends on your
System):

          $ rcpound restart
          or
          $ /etc/init.d/pound restart

7. You can make pound as a https-sanitizer for an any kind of
https-protected FQDN which match the wildcard-cert, e.g.:

          foo.yourdomain.com
          bar.yourdomain.com
          helloworld.yourdomain.com
          ...
-------------------------------------------

J.