Comments on: HOWTO Configure Apache for SSL with DoD CAC Authentication on Ubuntu 9.04 http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/ Tech evangelism and Miso soup like no other Sun, 05 Feb 2012 18:03:00 +0000 hourly 1 http://wordpress.org/?v= By: Yermo http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-24297 Yermo Sun, 05 Feb 2012 18:03:00 +0000 http://techmiso.com/?p=1856#comment-24297 Relatively new to this world and this is day two of searching around trying to get a handle on how this work. Thank you for taking the time to write this post. One question, once authenticated what information is available to the web server? i.e. does any of the info transmitted to the server identify the individual user so one could, for instance, auto-log them into a drupal site? If so, how is that info made available? Through environment variables? Any pointers would be greatly appreciated. Thanks! Relatively new to this world and this is day two of searching around trying to get a handle on how this work. Thank you for taking the time to write this post. One question, once authenticated what information is available to the web server? i.e. does any of the info transmitted to the server identify the individual user so one could, for instance, auto-log them into a drupal site? If so, how is that info made available? Through environment variables?

Any pointers would be greatly appreciated. Thanks!

]]> By: Ralford100 http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-24295 Ralford100 Thu, 26 Jan 2012 14:39:00 +0000 http://techmiso.com/?p=1856#comment-24295 For RedHat, as of 1/26/2012: 1) Get the certificates from the DOD:# wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.p7b# wget http://dodpki.c3pki.chamb.disa.mil/dodeca.p7b# wget http://dodpki.c3pki.chamb.disa.mil/dodeca2.p7b 2) Convert to Apache format:# openssl pkcs7 -inform DER -outform PEM -in rel3_dodroot_2048.p7b   -out rel3_dodroot_2048.pem -print_certs# openssl pkcs7 -inform DER -outform PEM -in dodeca.p7b -out dodeca.pem -print_certs# openssl pkcs7 -inform DER -outform PEM -in dodeca2.p7b -out dodeca2.pem -print_certs 3) Consolidate them into one file:# cat dodeca2.pem dodeca.pem rel3_dodroot_2048.pem > dod-root-certs.pem 4) Put them all into certs file:cp dodeca2.pem dodeca.pem rel3_dodroot_2048.pem dod-root-certs.pem /etc/pki/tls/certs 5) Modify Apache Configuration file (/etc/httpd/conf.d/ssl.conf) by setting the following:SSLVerifyClient requireSSLVerifyDepth 2SSLCertificateFile /etc/ssl/certs/.crtSSLCertificateKeyFile /etc/ssl/certs/.pemSSLCACertificateFile /etc/ssl/certs/dod-root-certs.pem 6) Restart Apache: service https restart For RedHat, as of 1/26/2012:

1) Get the certificates from the DOD:# wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.p7b# wget http://dodpki.c3pki.chamb.disa.mil/dodeca.p7b# wget http://dodpki.c3pki.chamb.disa.mil/dodeca2.p7b

2) Convert to Apache format:# openssl pkcs7 -inform DER -outform PEM -in rel3_dodroot_2048.p7b   -out rel3_dodroot_2048.pem -print_certs# openssl pkcs7 -inform DER -outform PEM -in dodeca.p7b -out dodeca.pem -print_certs# openssl pkcs7 -inform DER -outform PEM -in dodeca2.p7b -out dodeca2.pem -print_certs

3) Consolidate them into one file:# cat dodeca2.pem dodeca.pem rel3_dodroot_2048.pem > dod-root-certs.pem

4) Put them all into certs file:cp dodeca2.pem dodeca.pem rel3_dodroot_2048.pem dod-root-certs.pem /etc/pki/tls/certs

5) Modify Apache Configuration file (/etc/httpd/conf.d/ssl.conf) by setting the following:SSLVerifyClient requireSSLVerifyDepth 2SSLCertificateFile /etc/ssl/certs/.crtSSLCertificateKeyFile /etc/ssl/certs/.pemSSLCACertificateFile /etc/ssl/certs/dod-root-certs.pem

6) Restart Apache: service https restart

]]> By: Mark Loper http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-13250 Mark Loper Tue, 04 Jan 2011 13:46:00 +0000 http://techmiso.com/?p=1856#comment-13250 Have you tried integrating with ocsp.disa.mil? I came across your blog while trying to find anyone who has done this successfully. I'm running outside the domain, so that may be the problem. The CAC tells the server to use ocsp, but I can't tell if it's even running out there. The server doesn't seem to respond, but I'm not sure if it should either. thoughts? Have you tried integrating with ocsp.disa.mil? I came across your blog while trying to find anyone who has done this successfully. I’m running outside the domain, so that may be the problem. The CAC tells the server to use ocsp, but I can’t tell if it’s even running out there. The server doesn’t seem to respond, but I’m not sure if it should either. thoughts?

]]> By: matthew http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-5692 matthew Wed, 03 Mar 2010 05:55:58 +0000 http://techmiso.com/?p=1856#comment-5692 openssl crl -in DOD_CA-13.crl -inform DER -out DOD_CA-13.crl -outform PEM <br>Nevemind this works openssl crl -in DOD_CA-13.crl -inform DER -out DOD_CA-13.crl -outform PEM
Nevemind this works

]]> By: Matthew http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-5691 Matthew Wed, 03 Mar 2010 05:36:51 +0000 http://techmiso.com/?p=1856#comment-5691 Have messed with the CRL files at all? Looks like they not in a format mod_ssl likes. Have messed with the CRL files at all? Looks like they not in a format mod_ssl likes.

]]> By: Chad http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-3737 Chad Wed, 06 Jan 2010 09:24:55 +0000 http://techmiso.com/?p=1856#comment-3737 Does any currently use DoD CAC and DoD ECA PKI both on the same site? Does any currently use DoD CAC and DoD ECA PKI both on the same site?

]]> By: Chad http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-16505 Chad Tue, 05 Jan 2010 19:24:00 +0000 http://techmiso.com/?p=1856#comment-16505 Does any currently use DoD CAC and DoD ECA PKI both on the same site? Does any currently use DoD CAC and DoD ECA PKI both on the same site?

]]> By: xw0rm http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-2810 xw0rm Fri, 18 Dec 2009 10:32:58 +0000 http://techmiso.com/?p=1856#comment-2810 OK, so I have already done this, but there is a new dodeca2.cac cert listed on the DISA web site (making the total number of root certs four now, instead of three). How does one add this in? OK, so I have already done this, but there is a new dodeca2.cac cert listed on the DISA web site (making the total number of root certs four now, instead of three). How does one add this in?

]]> By: Scott Jarkoff http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-2509 Scott Jarkoff Thu, 10 Dec 2009 12:01:16 +0000 http://techmiso.com/?p=1856#comment-2509 I can't imagine it being any different though I would wonder why you would need to read CAC's from a non-DoD server. In any case, since it's Windows I expect you would have to use Tumbleweed and possibly ActiveCard, though I honestly have no experience in that arena (ie. setting up a Windows server to authenticate DoD CAC's). I can't imagine it being any different though I would wonder why you would need to read CAC's from a non-DoD server. In any case, since it's Windows I expect you would have to use Tumbleweed and possibly ActiveCard, though I honestly have no experience in that arena (ie. setting up a Windows server to authenticate DoD CAC's).

]]> By: elitz http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-2425 elitz Wed, 09 Dec 2009 09:02:49 +0000 http://techmiso.com/?p=1856#comment-2425 Scott: you mentioned somewhere in your notes experimenting with using dod cac's on a non-DOD server (not on any of the military domains). I'm attempting to read cac cards on a non-DOD server. Happens to be a windows server..so not exactly relevant to above aritlce, but none the less i thought i'd ask in case you had any insight into this subject. thanks. Scott: you mentioned somewhere in your notes experimenting with using dod cac's on a non-DOD server (not on any of the military domains). I'm attempting to read cac cards on a non-DOD server. Happens to be a windows server..so not exactly relevant to above aritlce, but none the less i thought i'd ask in case you had any insight into this subject. thanks.

]]> By: Scott Jarkoff http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-1263 Scott Jarkoff Sat, 19 Sep 2009 11:46:04 +0000 http://techmiso.com/?p=1856#comment-1263 There is no reason why this will not work on other versions of Ubuntu. You may need to adjust a thing or two but for the most part everything should work as listed above. There is no reason why this will not work on other versions of Ubuntu. You may need to adjust a thing or two but for the most part everything should work as listed above.

]]> By: Scott Jarkoff http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-1264 Scott Jarkoff Sat, 19 Sep 2009 11:45:24 +0000 http://techmiso.com/?p=1856#comment-1264 Based on DoD policy, the cert needs to be issued by DISA. Self-signed certs, while fine for testing are not valid for everyday use. Based on DoD policy, the cert needs to be issued by DISA. Self-signed certs, while fine for testing are not valid for everyday use.

]]> By: redskinsone http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-1262 redskinsone Sat, 19 Sep 2009 02:08:31 +0000 http://techmiso.com/?p=1856#comment-1262 Is Step #7 above required -- does your server cert need to be issued by the DoD ? Can it just be a self-signed or issued by VeriSign? Is Step #7 above required — does your server cert need to be issued by the DoD ? Can it just be a self-signed or issued by VeriSign?

]]> By: eddiepetosa http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-1255 eddiepetosa Sun, 13 Sep 2009 22:40:07 +0000 http://techmiso.com/?p=1856#comment-1255 Will this work on other versions of Ubuntu? Or is there another tutorial for that? <br>Eddie Petosa <br><a rel="follow" href="http://www.123-reg.co.uk/ssl-certificates/" rel="nofollow">ssl certificates</a> Will this work on other versions of Ubuntu? Or is there another tutorial for that?
Eddie Petosa
ssl certificates

]]> By: CrimsonKnight13 http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-968 CrimsonKnight13 Fri, 15 May 2009 08:26:13 +0000 http://techmiso.com/?p=1856#comment-968 Excellent article. Helped solve my dilemma. Thanks! Excellent article. Helped solve my dilemma. Thanks!

]]> By: Matthew http://techmiso.com/1856/howto-configure-apache-for-ssl-with-dod-cac-authentication-on-ubuntu-904/comment-page-1/#comment-932 Matthew Fri, 08 May 2009 04:19:21 +0000 http://techmiso.com/?p=1856#comment-932 worked great apache2.2 Solaris 10 x86 worked great apache2.2 Solaris 10 x86

]]>