[ILUG] auto generating ssl certs

Enda enda at unison.ie
Tue Jul 27 11:40:00 IST 2004 

John P. Looney wrote:
> On Mon, Jul 26, 2004 at 03:39:36PM +0100, Michele Neylon :: Blacknight
Solutions mentioned:
>> Do you mean for self-signed ones?
>
> No, just something to let someone (who doesn't know how to use openssl)
> generate a cert & a CSR from a web page.

Pedantic point, but you generate a key, and then incorporate that into a CSR
in order to get a CA to produce a cert. Its a certificate template until the
CA signs it ;-p

The key generation must be done by the webserver, or within the webserver
rulesets, so for example, if you wanted to SSL enable a netscape server, you
couldnt generate an arbitary cert and import it in and have SSL working
perfectly as the public key in the cert wouldnt necessarily match a private
key in the webserver, you would first have to use netscapes keygeneration
programs to generate a public and private key pair and it will automatically
add the private key to its keychain etc, and produce a certificate template
with the public key and produce a CSR.

So to have a webpage for the generation, your webserver needs to provide
this, or you need to develop it around the key generation process as
specified by your webserver, so until you know what webserver your dealing
with your query can't be answered.

If you're in the ISP business, yeah, you've got your own standard and can
implement something around that, but if you're looking for something to dish
out to clients, you need to have a program that has a localhost http engine
driving the process.

The CSR format then is another variable. Some CA's expect a binary encoded
CSR, some expect a PEM (base64) encoded version, and others handle both.
Webservers with processes for producing CSR's can be less flexible and force
a binary output etc.

Finally, you'll need a web interface to install the cert back into the
webserver, which is webserver dependant.

Lots of permutations and combinations there to play with, so unless you have
some more specifics its unlikely that anyone can point you in the right
direction with your query!

Finally, most commercial webservers have exactly what you're looking for
with their own format restrictions and within the wbeserver admin interface.
If you're using a commercial (aka proprietary) webserver, then you're
probably looking for a webservices interface to expose that limited feature
set to the public view (assuming an ISP app).

HTH,

 -Enda.

More information about the ILUG mailing list