views:

52

answers:

1

This is a follow up question on my earlier question. http://stackoverflow.com/questions/1947608/authentication-based-on-certificates-and-ip

I am trying to do this for a very small company, and would like to rely only on open source resources. Please take into consideration the fact that I am absolutely (100%) new to the world of Security certificates and the secure protocol.

a) How can I create SSL certificate for test purpose. (I can think of using paid ones for the production, but once I complete a working POC on this.)

b) How to install the certificate on the four machines I have access to for the POC. Two of them are Win-XP and other two are Win-7.

c) I don't think the servers I have (tomcat and glassfish) support HTTPS, so are there any known open source solution for that?

d) Further, I would have to find out how to add the certificate, but that very well depends on the server I end up with. Are there any documentation related to this.

A: 

To answer your questions in the order that you have asked. Since you did not mention what environment you want to implement the solution I will endevor to make this answer as generic as possible.

  • To create your own self-signed certificates purely for testing check here. You can use the 'OpenSSL' kit which is available to download.
  • I am not sure how you can install a self-signed certificate under win XP/Win 7, as they are more likely to reject them as they are not "authorized" nor signed by the Certificate Authority such as Thawte, maybe there is someone there who could properly answer this one, perhaps a registry hack/trick to fool Windows into thinking it is a "genuine" certificate.
  • Apache is the most well-known open source web-server, it has support for running the HTTPS protocol (usually running off port 443). If you have this Apache running, then a simple tweak to the configuration httpd.conf to get it to run...see this as an example
#LoadModule ssl_module modules/mod_ssl.so

... Further info cut out ...

# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf

#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

The line LoadModule above, needs to be uncommented and Apache needs to be restarted in order to re-read the configuration with the changes made to it.. Furthermore, you can get xampp which contains Apache, MySql and Php/Perl stack for Windows. See here for further information on this. If you are running a Linux environment, then a quick check to see if Apache is indeed installed by issuing those two commands below:

ps -elf | grep httpd
ls -l /etc/httpd/httpd.conf

(The first command checks to see if the httpd process is running and the second checks if you have the configuration file present if Apache is installed.

  • Lastly, adding the certificate is basically dependent on how to add it as I have mentioned in the above that is the answer to your second question.

Hope this helps, Best regards, Tom.

tommieb75
thanks tommieb, definitely helps. will take some more time to completely digest it. meanwhile, i would like to point out that my 4th question was not clear, i had meant to ask, how to add the certificate to the web server's certificate pool. probably docs on the apache site might have the information...
frappuccino
About the environment the laptops run windows, the application would be deployed on a unix box.
frappuccino