[rs-commit] r71 - in /rs-manual/trunk/src/site: ./ xhtml5/ xhtml5/mod/
rs-commit at redwax.eu
rs-commit at redwax.eu
Mon Sep 2 23:10:55 CEST 2019
Author: minfrin at redwax.eu
Date: Mon Sep 2 23:10:54 2019
New Revision: 71
Log:
Move modules to the mod directory.
Added:
rs-manual/trunk/src/site/xhtml5/mod/
rs-manual/trunk/src/site/xhtml5/mod/mod_ca.xhtml5
- copied unchanged from r70, rs-manual/trunk/src/site/xhtml5/mod_ca.xhtml5
rs-manual/trunk/src/site/xhtml5/mod/mod_crl.xhtml5
- copied unchanged from r70, rs-manual/trunk/src/site/xhtml5/mod_crl.xhtml5
rs-manual/trunk/src/site/xhtml5/mod/mod_csr.xhtml5
- copied unchanged from r70, rs-manual/trunk/src/site/xhtml5/mod_csr.xhtml5
rs-manual/trunk/src/site/xhtml5/mod/mod_ocsp.xhtml5
- copied unchanged from r70, rs-manual/trunk/src/site/xhtml5/mod_ocsp.xhtml5
rs-manual/trunk/src/site/xhtml5/mod/mod_pkcs12.xhtml5
- copied unchanged from r70, rs-manual/trunk/src/site/xhtml5/mod_pkcs12.xhtml5
rs-manual/trunk/src/site/xhtml5/mod/mod_scep.xhtml5
- copied unchanged from r70, rs-manual/trunk/src/site/xhtml5/mod_scep.xhtml5
rs-manual/trunk/src/site/xhtml5/mod/mod_spkac.xhtml5
- copied unchanged from r70, rs-manual/trunk/src/site/xhtml5/mod_spkac.xhtml5
Removed:
rs-manual/trunk/src/site/xhtml5/mod_ca.xhtml5
rs-manual/trunk/src/site/xhtml5/mod_crl.xhtml5
rs-manual/trunk/src/site/xhtml5/mod_csr.xhtml5
rs-manual/trunk/src/site/xhtml5/mod_ocsp.xhtml5
rs-manual/trunk/src/site/xhtml5/mod_pkcs12.xhtml5
rs-manual/trunk/src/site/xhtml5/mod_scep.xhtml5
rs-manual/trunk/src/site/xhtml5/mod_spkac.xhtml5
Modified:
rs-manual/trunk/src/site/site.xml
Modified: rs-manual/trunk/src/site/site.xml
==============================================================================
--- rs-manual/trunk/src/site/site.xml (original)
+++ rs-manual/trunk/src/site/site.xml Mon Sep 2 23:10:54 2019
@@ -35,13 +35,13 @@
<item name="User Guide" href="userguide.html"/>
<item name="FAQ" href="faq.html"/>
<item name="Glossary" href="glossary.html"/>
- <item name="mod_ca Module" href="mod_ca.html"/>
- <item name="mod_crl Module" href="mod_crl.html"/>
- <item name="mod_csr Module" href="mod_csr.html"/>
- <item name="mod_ocsp Module" href="mod_ocsp.html"/>
- <item name="mod_pkcs12 Module" href="mod_pkcs12.html"/>
- <item name="mod_scep Module" href="mod_scep.html"/>
- <item name="mod_spkac Module" href="mod_spkac.html"/>
+ <item name="mod_ca Module" href="mod/mod_ca.html"/>
+ <item name="mod_crl Module" href="mod/mod_crl.html"/>
+ <item name="mod_csr Module" href="mod/mod_csr.html"/>
+ <item name="mod_ocsp Module" href="mod/mod_ocsp.html"/>
+ <item name="mod_pkcs12 Module" href="mod/mod_pkcs12.html"/>
+ <item name="mod_scep Module" href="mod/mod_scep.html"/>
+ <item name="mod_spkac Module" href="mod/mod_spkac.html"/>
</menu>
<links>
Removed: rs-manual/trunk/src/site/xhtml5/mod_ca.xhtml5
==============================================================================
--- rs-manual/trunk/src/site/xhtml5/mod_ca.xhtml5 (original)
+++ rs-manual/trunk/src/site/xhtml5/mod_ca.xhtml5 (removed)
@@ -1,56 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
- <head>
- <title>Virtual Library</title>
- </head>
- <body>
- <div class="index align-left">
-
- <section>
- <header>
- <h2>My Header</h2>
- </header>
- <div class="content">
- <p>Moved to <a href="http://example.org/">example.org</a>.</p>
-
-<table>
-<tbody>
-<tr>
- <td>Description</td>
- <td>Foo</td>
-</tr>
-<tr>
- <td>Syntax</td>
- <td>Foo</td>
-</tr>
-<tr>
- <td>Default</td>
- <td>Foo</td>
-</tr>
-<tr>
- <td>Context</td>
- <td>Foo</td>
-</tr>
-<tr>
- <td>Status</td>
- <td>Foo</td>
-</tr>
-<tr>
- <td>Module</td>
- <td>Foo</td>
-</tr>
-<tr>
- <td>Compatibility</td>
- <td>Foo</td>
-</tr>
-</tbody>
-</table>
-
- </div>
- </section>
-
- </div>
- </body>
-</html>
-
Removed: rs-manual/trunk/src/site/xhtml5/mod_crl.xhtml5
==============================================================================
--- rs-manual/trunk/src/site/xhtml5/mod_crl.xhtml5 (original)
+++ rs-manual/trunk/src/site/xhtml5/mod_crl.xhtml5 (removed)
@@ -1,313 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
- <head>
- <title>mod_crl Module</title>
- </head>
- <body>
- <div class="index align-left">
-
- <section class="wrapper style1 align-center"
- id="introduction">
- <div class="inner">
- <h2>Certificate Revocation List Module</h2>
- <p>Generate and return a certificate revocation list as a response.</p>
-
- <div class="index align-left">
-
- <section>
- <header>
- <h3>What does it do?</h3>
- </header>
- <div class="content">
-
- <p>
- Based on configuration of the backend modules, the certificate chain
- is returned as a DER or PEM encoded certificate revocation list as
- per <a href="https://tools.ietf.org/html/rfc5280">RFC5280</a>.
- </p>
-
-<!-- support the Accept header -->
-
- </div>
- </section>
-
-
- </div>
- </div>
- </section>
-
-
-
- <section class="wrapper style1 align-center" id="integration">
- <div class="inner">
- <h2>Module Integration</h2>
- <p>
- The
- <code>mod_crl</code>
- module is a
- <a href="mod_ca.html#frontend">frontend module</a>
- and will not do anything useful until
- <code>mod_crl</code>
- has been combined with one or
- more
- <a href="mod_ca.html#backend">backend modules</a>
- listed below. The
- <code>mod_crl</code>
- module uses the following hook to get the certificate revocation list, and suitable
- <a href="mod_ca.html#backend">backend modules</a>
- must be configured to implement each hook as needed.
- </p>
-
- <p>
- All <a href="mod_ca.html#frontend">frontend modules</a> run within
- a standard Apache httpd request, and standard httpd functionality
- applies in all cases.
- </p>
-
- <div>
- <img src="images/mod_crl.png" style="width: 100%;" />
- </div>
-
- <div class="index align-left">
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_getcrl">Certificate Revocation List Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This hook returns the certificate revocation list for the configured
- certificate authority.
- </p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_crl.html#ca_getcrl">mod_ca_crl</a>
- </td>
- <td>Read the certificate sign request from disk.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
-
- </div>
- </div>
- </section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
- <div class="inner">
- <h2>Examples</h2>
- <div class="index align-left">
-
- <section>
- <header>
- <h3>Basic Example</h3>
- </header>
- <div class="content">
- <p>The simplest case: return the certificate revocation list to anybody who wants one.</p>
-<pre><code><![CDATA[
-# backend configuration:
-<IfModule mod_ca_crl.c>
- # return this crl
- CACRLCertificateRevocationList /etc/pki/tls/ca-crl.pem
-</IfModule>
-
-# frontend configuration:
-<IfModule mod_crl.c>
- <Location /crl>
- SetHandler crl
- </Location>
-</IfModule>
-]]></code></pre>
- </div>
- </section>
-
- </div>
- </div>
- </section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
- <div class="inner">
- <h2>Directive Reference</h2>
- <div class="index align-left">
-
- <section>
- <header>
- <h3>CrlFreshness Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>The max-age of the certificate revocation list will be divided by this
- factor.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>CrlFreshness factor [max-seconds]</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>CrlFreshness 2 86400</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_crl</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_crl 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>The age of the certificate revocation list will be divided by this
- factor when added as a max-age, set
- to zero to disable. Defaults to "2". An optional maximum value
- can be specified, defaults
- to one day.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>CrlLocation Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set the URL location of the WADL returned by the OPTIONS
- method.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>CrlLocation url</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>CrlLocation [current-URL]</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_crl</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_crl 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set the URL location of the WADL returned by the OPTIONS
- method.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>CrlEncoding Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the default encoding to be returned if not specified.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>CrlEncoding encoding</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>CrlEncoding der</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_crl</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_crl 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set the default encoding to be returned if not specified. Must be
- one of "pem", "x-pem" or "der".
- </p>
-
- </div>
- </section>
-
-
- </div>
- </div>
- </section>
-
- </div>
- </body>
-</html>
-
Removed: rs-manual/trunk/src/site/xhtml5/mod_csr.xhtml5
==============================================================================
--- rs-manual/trunk/src/site/xhtml5/mod_csr.xhtml5 (original)
+++ rs-manual/trunk/src/site/xhtml5/mod_csr.xhtml5 (removed)
@@ -1,803 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
- <head>
- <title>mod_csr Module</title>
- </head>
- <body>
- <div class="index align-left">
-
- <section class="wrapper style1 align-center"
- id="introduction">
- <div class="inner">
- <h2>Certificate Sign Request Module</h2>
- <p>Generate and issue certificates in response to an X509
- certificate request.</p>
-
- <div class="index align-left">
-
-
-
- <section>
- <header>
- <h3>What does it do?</h3>
- </header>
- <div class="content">
- <p>
- This module accepts a
- <code>application/x-www-form-urlencoded</code>
- form submission request
- containing a PEM encoded PKCS10 X509 certificate request among further
- optional
- parameters.
- </p>
-
- <p>Based on configuration, parameters can be passed from the
- incoming certificate sign request,
- optional form parameters, or explicit expressions, and a new
- certificate sign request with
- acceptable parameters is passed to suitably configured backend modules
- for request authorisation,
- certificate signing and issuing, and certificate storage.</p>
-
- <p>
- The resulting certificate chain is returned by default as a DER
- encoded PKCS7
- certificate. If the
- <code>Accept</code>
- header is given in the request and set
- to
- <code>application/pkcs7-mime</code>
- , the certificate chain is returned as a PEM encoded
- PKCS7 certificate instead.
- </p>
-
- <p>
- This module can be configured to respond to
- <a
- href="https://blogs.msdn.microsoft.com/ieinternals/2010/05/14/certificate-enrollment-from-the-browser/">
- CertEnroll requests</a>
- as supported by Microsoft Internet Explorer.
- </p>
- </div>
- </section>
-
-
- </div>
- </div>
- </section>
-
-
-
- <section class="wrapper style1 align-center" id="integration">
- <div class="inner">
- <h2>Module Integration</h2>
- <p>
- The
- <code>mod_csr</code>
- module is a
- <a href="mod_ca.html#frontend">frontend module</a>
- and will not do anything useful until
- <code>mod_csr</code>
- has been combined with one or
- more
- <a href="mod_ca.html#backend">backend modules</a>
- listed below. The
- <code>mod_csr</code>
- module uses the following hooks to authorise, sign/issue and
- store a
- certificate, and suitable
- <a href="mod_ca.html#backend">backend modules</a>
- must be configured to implement each hook as needed.
- </p>
-
- <p>
- All <a href="mod_ca.html#frontend">frontend modules</a> run within
- a standard Apache httpd request, and standard httpd functionality
- applies in all cases.
- </p>
-
- <div>
- <img src="images/mod_csr.png" style="width: 100%;" />
- </div>
-
- <div class="index align-left">
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_reqauthz">Request Authorization Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This optional hook allows you to verify the parameters
- included with the certificate sign request, such as the
- challenge password. If left unconfigured, all certificate
- requests will be accepted.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_ldap.html#ca_reqauthz">mod_ca_ldap</a>
- </td>
- <td>Allows the certificate sign request to be verified
- against an LDAP directory.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_sign">Sign Request Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This hooks signs the certificate sign request and returns the
- issued certificate. The hook is mandatory, and the request will
- be rejected if left unconfigured.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_disk.html#ca_sign">mod_ca_disk</a>
- </td>
- <td>Allows certificate sign requests to be saved to disk for
- later out of band processing. The response will redirect the
- caller to where the certificate can be collected.</td>
- </tr>
- <tr>
- <td>
- <a href="mod_ca_engine.html#ca_sign">mod_ca_engine</a>
- </td>
- <td>Allows certificate sign requests to be signed by an HSM
- such as a smartcard.</td>
- </tr>
- <tr>
- <td>
- <a href="mod_ca_simple.html#ca_sign">mod_ca_simple</a>
- </td>
- <td>Allows certificate sign requests to be signed by a
- certificate and key specified on disk.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_certstore">Certificate Storage Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This optional hook allows the newly generated certificate to
- be stored locally or in a database or directory. If left
- unconfigured, no local copy of the certificate will be stored.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_ldap.html#ca_certstore">mod_ca_ldap</a>
- </td>
- <td>Saves the newly issued PKCS7 certificate and chain to an
- LDAP directory.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
-
- </div>
- </div>
- </section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
- <div class="inner">
- <h2>Examples</h2>
- <div class="index align-left">
-
- <section>
- <header>
- <h3>Basic Example</h3>
- </header>
- <div class="content">
- <p>The simplest case: issue a certificate to anybody who wants one.</p>
-<pre><code><![CDATA[
-# backend configuration:
-<IfModule mod_ca_simple.c>
- # sign with this certificate...
- CASimpleCertificate /etc/pki/tls/ca-cert.pem
- # ...and private key
- CASimpleKey /etc/pki/tls/ca-key.pem
- # use system clock as the time source
- CASimpleTime on
- # assign a random serial number
- CASimpleSerialRandom on
-</IfModule>
-
-# frontend configuration:
-<IfModule mod_csr.c>
- <Location /csr>
- SetHandler csr
- # use subject from the certificate sign request unmodified
- CsrSubjectRequest *
- </Location>
-</IfModule>
-]]></code></pre>
- </div>
- </section>
-
- <section>
- <header>
- <h3>Logged In Example</h3>
- </header>
- <div class="content">
- <p>A more typical scenario: issue a certificate to a logged in user.</p>
- <p>In this example it is assumed that Apache configuration exists that
- authenticates a user against a database, directory, a token, or a previous
- certificate.
- </p>
-<pre><code><![CDATA[
-# backend configuration:
-<IfModule mod_ca_simple.c>
- # sign with this certificate...
- CASimpleCertificate /etc/pki/tls/ca-cert.pem
- # ...and private key
- CASimpleKey /etc/pki/tls/ca-key.pem
- # use system clock as the time source
- CASimpleTime on
- # assign a random serial number
- CASimpleSerialRandom on
-</IfModule>
-
-# frontend configuration:
-<IfModule mod_csr.c>
- <Location /csr>
- SetHandler csr
- # standard Apache authorisation
- Require valid-user
- # set the common name to the logged in username
- CsrSubjectSet CN %{REMOTE_USER}
- # set a fixed OU field in the subject
- CsrSubjectSet OU "Terms and Conditions Apply"
- </Location>
-</IfModule>
-]]></code></pre>
- </div>
- </section>
-
- </div>
- </div>
- </section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
- <div class="inner">
- <h2>Directive Reference</h2>
- <div class="index align-left">
-
- <section>
- <header>
- <h3>CsrFreshness Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>The max-age of the certificates will be divided by this
- factor.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>CsrFreshness factor [max-seconds]</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>CsrFreshness 2 86400</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_csr</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_csr 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>The age of the certificates will be divided by this factor
- when added as a max-age, set
- to zero to disable. Defaults to "2". An optional maximum value
- can be specified, defaults
- to one day.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>CsrLocation Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set the URL location of the WADL returned by the OPTIONS
- method.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>CsrLocation url</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>CsrLocation [current-URL]</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_csr</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_csr 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set the URL location of the WADL returned by the OPTIONS
- method.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>CsrParamPkcs10 Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set the name of the form parameter containing the PEM
- encoded PKCS10 certificate sign request.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>CsrParamPkcs10 param</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>CsrParamPkcs10 pkcs10</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_csr</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_csr 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set the name of the form parameter containing the PEM encoded
- PKCS10 certificate sign request.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>CsrParamChallenge Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set the name of the form parameter containing the
- challenge.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>CsrParamChallenge param</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>CsrParamChallenge challenge</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_csr</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_csr 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set the name of the form parameter containing the challenge,
- if not present in the certificate sign request.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>CsrSize Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the maximum size of the form submitted by the
- client.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>CsrSize bytes</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>CsrSize 131072</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_csr</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_csr 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the maximum size of the form request from the client.
- This value cannot be smaller than 4096 bytes.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>CsrSubjectAltNameRequest Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify fields in the certificate request subject
- alternative name that will be copied over to the
- certificate.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>CsrSubjectAltNameRequest field [number]</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>None</td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_csr</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_csr 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify fields in the certificate request subject alternative name that will
- be copied over to the certificate, with optional limit to the
- number of fields that may appear.</p>
-
- <p>If a wildcard is used, all fields in the certificate request
- subject alternative name will be copied across unmodified.
- </p>
-
- <p>Field names are limited to <code>otherName</code>, <code>rfc822Name</code>,
- <code>dNSName</code>, <code>x400Address</code>, <code>directoryName</code>,
- <code>ediPartyName</code>, <code>uniformResourceIdentifier</code>,
- <code>iPAddress</code>, or <code>registeredID</code> and are described in
- the <a href="subjects.html"> Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>CsrSubjectAltNameSet Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify an expression that will be included in the
- certificate subject alternative name.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>CsrSubjectAltNameSet field value</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>None</td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_csr</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_csr 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify an expression that will be included in the
- certificate subject alternative name.</p>
-
- <p>Field names are limited to <code>otherName</code>, <code>rfc822Name</code>,
- <code>dNSName</code>, <code>x400Address</code>, <code>directoryName</code>,
- <code>ediPartyName</code>, <code>uniformResourceIdentifier</code>,
- <code>iPAddress</code>, or <code>registeredID</code> and are described in
- the <a href="subjects.html"> Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>CsrSubjectRequest Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify fields in the certificate request subject that
- will be copied over to the certificate.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>CsrSubjectRequest field [number]</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>CsrSubjectRequest field 1</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_csr</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_csr 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify fields in the certificate request subject that will
- be copied over to the certificate, with optional limit to the
- number of fields that may appear.</p>
-
- <p>If a wildcard is used, all fields in the certificate request
- subject alternative name will be copied across unmodified.
- </p>
-
- <p>Subject handling is covered in detail in the <a href="subjects.html">
- Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>CsrSubjectSet Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify an expression that will be included in the
- certificate subject.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>CsrSubjectSet field value</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>None</td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_csr</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_csr 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify an expression that will be included in the
- certificate subject. Subject attribute name is configured first, then
- the expression.</p>
-
- <p>Subject handling is covered in detail in the <a href="subjects.html">
- Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
-
- </div>
- </div>
- </section>
-
- </div>
- </body>
-</html>
-
Removed: rs-manual/trunk/src/site/xhtml5/mod_ocsp.xhtml5
==============================================================================
--- rs-manual/trunk/src/site/xhtml5/mod_ocsp.xhtml5 (original)
+++ rs-manual/trunk/src/site/xhtml5/mod_ocsp.xhtml5 (removed)
@@ -1,874 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
- <head>
- <title>mod_ocsp Module</title>
- </head>
- <body>
- <div class="index align-left">
-
- <section class="wrapper style1 align-center"
- id="introduction">
- <div class="inner">
- <h2>Online Certificate Status Protocol Module</h2>
- <p>Respond with the revocation status of a certificate.</p>
-
- <div class="index align-left">
-
- <section>
- <header>
- <h3>What does it do?</h3>
- </header>
- <div class="content">
-
- <p>
- Based on configuration of the backend modules, an Online Certificate
- Status Protocol response is returned for the given certificate as
- per <a href="https://tools.ietf.org/html/rfc6960">RFC6960</a>.
- </p>
-
-<!-- support the Accept header -->
-
- </div>
- </section>
-
-
- </div>
- </div>
- </section>
-
-
-
- <section class="wrapper style1 align-center" id="integration">
- <div class="inner">
- <h2>Module Integration</h2>
- <p>
- The
- <code>mod_ocsp</code>
- module is a
- <a href="mod_ca.html#frontend">frontend module</a>
- and will not do anything useful until
- <code>mod_ocsp</code>
- has been combined with one or
- more
- <a href="mod_ca.html#backend">backend modules</a>
- listed below. The
- <code>mod_ocsp</code>
- module uses the following hook to check the certificate status against
- the certificate revocation list, and suitable
- <a href="mod_ca.html#backend">backend modules</a>
- must be configured to implement each hook as needed.
- </p>
-
- <p>
- All <a href="mod_ca.html#frontend">frontend modules</a> run within
- a standard Apache httpd request, and standard httpd functionality
- applies in all cases.
- </p>
-
- <div>
- <img src="images/mod_ocsp-1.png" style="width: 100%;" />
- </div>
-
- <div class="index align-left">
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_getca">Get CA Certificate Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This hook returns CA certificates for the given CA.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_engine.html#ca_getca">mod_ca_engine</a>
- </td>
- <td>Returns CA certificates that would sign certificate sign requests by an HSM
- such as a smartcard.</td>
- </tr>
- <tr>
- <td>
- <a href="mod_ca_simple.html#ca_getca">mod_ca_simple</a>
- </td>
- <td>Returns CA certificates that would sign certificate sign requests by a
- certificate and key specified on disk.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_getcertstatus">Certificate Status Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This hook returns the certificate status for the given certificate.
- </p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_crl.html#ca_getcertstatus">mod_ca_crl</a>
- </td>
- <td>Check the certificate status against the certificate sign request from disk.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
-
- </div>
- </div>
- </section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
- <div class="inner">
- <h2>Examples</h2>
- <div class="index align-left">
-
- <section>
- <header>
- <h3>Basic Example</h3>
- </header>
- <div class="content">
- <p>The simplest case: return the certificate revocation list to anybody who wants one.</p>
-<pre><code><![CDATA[
-# backend configuration:
-<IfModule mod_ca_crl.c>
- # return this crl
- CACRLCertificateRevocationList /etc/pki/tls/ca-crl.pem
-</IfModule>
-
-# frontend configuration:
-<IfModule mod_ocsp.c>
- <Location /ocsp>
- SetHandler ocsp
- OcspSigningCertificate /etc/pki/tls/ocsp.cert
- OcspSigningKey /etc/pki/tls/ocsp.key
- </Location>
-</IfModule>
-]]></code></pre>
- </div>
- </section>
-
- </div>
- </div>
- </section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
- <div class="inner">
- <h2>Directive Reference</h2>
- <div class="index align-left">
-
- <section>
- <header>
- <h3>OcspSigningCertificate Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the name of the signing certificate.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>OcspSigningCertificate filename</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>none</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_ocsp</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_ocsp 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the name of the signing certificate.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>OcspSigningKey Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the name of the signing key.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>OcspSigningKey filename</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>none</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_ocsp</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_ocsp 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the name of the signing key.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>OcspOtherCertificates Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the name of a file containing other certificates to add to the response.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>OcspOtherCertificates filename</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>none</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_ocsp</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_ocsp 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the name of a file containing other certificates to add to the response.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>OcspSize Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the maximum size of the OCSP request from the
- client.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>OcspSize bytes</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>OcspSize 131072</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_scep</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_ocsp 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the maximum size of the OCSP request from the client.
- This value cannot be smaller than 4096 bytes.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>OcspLocation Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set the URL location of the WADL returned by the OPTIONS
- method.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>OcspLocation url</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>OcspLocation [current-URL]</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_ocsp</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_ocsp 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set the URL location of the WADL returned by the OPTIONS
- method.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>OcspNextUpdate Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the number of seconds until the next update.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>OcspNextUpdate seconds</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>OcspNextUpdate 0</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_ocsp</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_ocsp 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the number of seconds until the next update. Defaults
- to zero (to disable).</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>OcspNoCertificates Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to 'on' to suppress the sending of certificates in the response.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>OcspNoCertificates flag</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>OcspNoCertificates off</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_ocsp</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_ocsp 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to 'on' to suppress the sending of certificates in the
- response. Defaults to 'off'.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>OcspIdentifyByKeyID Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to 'on' to identify the signer certificate by key ID.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>OcspIdentifyByKeyID flag</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>OcspIdentifyByKeyID off</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_ocsp</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_ocsp 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to 'on' to identify the signer certificate by key ID. Defaults
- to 'off' for subject name.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>OcspOverrideReason Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Mark all certificates as revoked, giving this reason.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>OcspOverrideReason string</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>none</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_ocsp</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_ocsp 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Mark all certificates as revoked, giving this reason.
- </p>
-
- <p>Reasons must be one of:
- </p>
-
- <ul>
- <li>unspecified</li>
- <li>keyCompromise</li>
- <li>CACompromise</li>
- <li>affiliationChanged</li>
- <li>superseded</li>
- <li>cessationOfOperation</li>
- <li>certificateHold</li>
- <li>removeFromCRL</li>
- </ul>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>OcspOverrideRevocationTime Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>If all certificates are revoked, add this revocation time.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>OcspOverrideRevocationTime YYYYMMDDHHMMSSZ</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>None</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_ocsp</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_ocsp 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>If all certificates are revoked, add this revocation time, formatted
- as per http://tools.ietf.org/html/rfc2459#section-4.1.2.5.2
- (YYYYMMDDHHMMSSZ)</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>OcspOverrideInvalidityDate Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>If all certificates are revoked, add this invalidity date.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>OcspOverrideInvalidityDate YYYYMMDDHHMMSSZ</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>None</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_ocsp</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_ocsp 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>If all certificates are revoked, add this invalidity date, formatted
- as per http://tools.ietf.org/html/rfc2459#section-4.1.2.5.2
- (YYYYMMDDHHMMSSZ)
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>OcspOverrideHoldInstruction Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>If all certificates are revoked, add this hold instruction.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>OcspOverrideHoldInstruction string</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>none</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_ocsp</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_ocsp 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>If all certificates are revoked, add this hold instruction, formatted
- as an OID.
- </p>
-
- <p>Instructions must be one of:
- </p>
-
- <ul>
- <li>holdInstructionCallIssuer</li>
- <li>holdInstructionReject</li>
- </ul>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>OcspFreshness Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>The max-age of the certificate revocation list will be divided by this
- factor.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>OcspFreshness factor [max-seconds]</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>OcspFreshness 2 86400</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_ocsp</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_ocsp 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>The age of the certificate revocation list will be divided by this
- factor when added as a max-age, set
- to zero to disable. Defaults to "2". An optional maximum value
- can be specified, defaults
- to one day.</p>
-
- </div>
- </section>
-
- </div>
- </div>
- </section>
-
- </div>
- </body>
-</html>
-
Removed: rs-manual/trunk/src/site/xhtml5/mod_pkcs12.xhtml5
==============================================================================
--- rs-manual/trunk/src/site/xhtml5/mod_pkcs12.xhtml5 (original)
+++ rs-manual/trunk/src/site/xhtml5/mod_pkcs12.xhtml5 (removed)
@@ -1,1003 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
- <head>
- <title>mod_pkcs12 Module</title>
- </head>
- <body>
- <div class="index align-left">
-
- <section class="wrapper style1 align-center"
- id="introduction">
- <div class="inner">
- <h2>PKCS12 Module</h2>
- <p>Generate public/private key pairs and and issue certificates in response
- to a <code>application/x-www-form-urlencoded</code> form request.</p>
-
- <div class="index align-left">
-
-
-
- <section>
- <header>
- <h3>What does it do?</h3>
- </header>
- <div class="content">
- <p>
- This module accepts a
- <code>application/x-www-form-urlencoded</code>
- form submission request
- containing optional parameters.
- </p>
-
- <p>Based on configuration, optional form parameters can be passed from the
- incoming request, or explicit expressions, and a new
- certificate sign request with
- acceptable parameters is passed to suitably configured backend modules
- for request authorisation,
- certificate signing and issuing, and certificate storage.</p>
-
- <p>
- The resulting certificate chain and private key is returned as a DER
- encoded PKCS12
- certificate and key.
- </p>
-
- </div>
- </section>
-
-
- </div>
- </div>
- </section>
-
-
-
- <section class="wrapper style1 align-center" id="integration">
- <div class="inner">
- <h2>Module Integration</h2>
- <p>
- The
- <code>mod_pkcs12</code>
- module is a
- <a href="mod_ca.html#frontend">frontend module</a>
- and will not do anything useful until
- <code>mod_pkcs12</code>
- has been combined with one or
- more
- <a href="mod_ca.html#backend">backend modules</a>
- listed below. The
- <code>mod_pkcs12</code>
- module uses the following hooks to authorise, sign/issue and
- store a
- certificate, and suitable
- <a href="mod_ca.html#backend">backend modules</a>
- must be configured to implement each hook as needed.
- </p>
-
- <p>
- All <a href="mod_ca.html#frontend">frontend modules</a> run within
- a standard Apache httpd request, and standard httpd functionality
- applies in all cases.
- </p>
-
- <div>
- <img src="images/mod_pkcs12.png" style="width: 100%;" />
- </div>
-
- <div class="index align-left">
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_reqauthz">Request Authorization Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This optional hook allows you to verify the parameters
- included with the certificate sign request, such as the
- challenge password. If left unconfigured, all certificate
- requests will be accepted.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_ldap.html#ca_reqauthz">mod_ca_ldap</a>
- </td>
- <td>Allows the certificate sign request to be verified
- against an LDAP directory.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_makekey">Make Key Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This hook generates a public/private key pair. The hook is
- mandatory, and the request will be rejected if left unconfigured.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_simple.html#ca_makekey">mod_ca_simple</a>
- </td>
- <td>Generates a public/private key.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_sign">Sign Request Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This hooks signs the certificate sign request and returns the
- issued certificate. The hook is mandatory, and the request will
- be rejected if left unconfigured.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_disk.html#ca_sign">mod_ca_disk</a>
- </td>
- <td>Allows certificate sign requests to be saved to disk for
- later out of band processing. The response will redirect the
- caller to where the certificate can be collected.</td>
- </tr>
- <tr>
- <td>
- <a href="mod_ca_engine.html#ca_sign">mod_ca_engine</a>
- </td>
- <td>Allows certificate sign requests to be signed by an HSM
- such as a smartcard.</td>
- </tr>
- <tr>
- <td>
- <a href="mod_ca_simple.html#ca_sign">mod_ca_simple</a>
- </td>
- <td>Allows certificate sign requests to be signed by a
- certificate and key specified on disk.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_certstore">Certificate Storage Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This optional hook allows the newly generated certificate to
- be stored locally or in a database or directory. If left
- unconfigured, no local copy of the certificate will be stored.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_ldap.html#ca_certstore">mod_ca_ldap</a>
- </td>
- <td>Saves the newly issued PKCS7 certificate and chain to an
- LDAP directory.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
-
- </div>
- </div>
- </section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
- <div class="inner">
- <h2>Examples</h2>
- <div class="index align-left">
-
- <section>
- <header>
- <h3>Basic Example</h3>
- </header>
- <div class="content">
- <p>The simplest case: issue a certificate to anybody who wants one.</p>
-<pre><code><![CDATA[
-# backend configuration:
-<IfModule mod_ca_simple.c>
- # sign with this certificate...
- CASimpleCertificate /etc/pki/tls/ca-cert.pem
- # ...and private key
- CASimpleKey /etc/pki/tls/ca-key.pem
- # use system clock as the time source
- CASimpleTime on
- # assign a random serial number
- CASimpleSerialRandom on
-</IfModule>
-
-# frontend configuration:
-<IfModule mod_pkcs12.c>
- <Location /pkcs12>
- SetHandler pkcs12
- # use subject from the certificate sign request unmodified
- Pkcs12SubjectRequest *
- </Location>
-</IfModule>
-]]></code></pre>
- </div>
- </section>
-
- <section>
- <header>
- <h3>Logged In Example</h3>
- </header>
- <div class="content">
- <p>A more typical scenario: issue a certificate to a logged in user.</p>
- <p>In this example it is assumed that Apache configuration exists that
- authenticates a user against a database, directory, a token, or a previous
- certificate.
- </p>
-<pre><code><![CDATA[
-# backend configuration:
-<IfModule mod_ca_simple.c>
- # sign with this certificate...
- CASimpleCertificate /etc/pki/tls/ca-cert.pem
- # ...and private key
- CASimpleKey /etc/pki/tls/ca-key.pem
- # use system clock as the time source
- CASimpleTime on
- # assign a random serial number
- CASimpleSerialRandom on
-</IfModule>
-
-# frontend configuration:
-<IfModule mod_pkcs12.c>
- <Location /pkcs12>
- SetHandler pkcs12
- # standard Apache authorisation
- Require valid-user
- # set the common name to the logged in username
- Pkcs12SubjectSet CN %{REMOTE_USER}
- # set a fixed OU field in the subject
- Pkcs12SubjectSet OU "Terms and Conditions Apply"
- </Location>
-</IfModule>
-]]></code></pre>
- </div>
- </section>
-
- </div>
- </div>
- </section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
- <div class="inner">
- <h2>Directive Reference</h2>
- <div class="index align-left">
-
- <section>
- <header>
- <h3>Pkcs12Size Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the maximum size of the form submitted by the
- client.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>Pkcs12Size bytes</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12Size 131072</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the maximum size of the form request from the client.
- This value cannot be smaller than 4096 bytes.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>Pkcs12ParamChallenge Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set the name of the form parameter containing the
- challenge.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>Pkcs12ParamChallenge param</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12ParamChallenge challenge</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set the name of the form parameter containing the challenge.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>Pkcs12ParamNickname Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the name of the request variable from the client containing the certificate nickname..</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>Pkcs12ParamNickname param</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12ParamNickname challenge</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the name of the request variable from the client containing the certificate nickname. Overrides the Pkcs12Nickname directive.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>Pkcs12Location Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set the URL location of the WADL returned by the OPTIONS
- method.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>Pkcs12Location url</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12Location [current-URL]</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set the URL location of the WADL returned by the OPTIONS
- method.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>Pkcs12SubjectAltNameRequest Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify parameters in the form that will be copied over to the
- certificate.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>Pkcs12SubjectAltNameRequest field [number]</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>None</td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify parameters in the form that will
- be copied over to the certificate, with optional limit to the
- number of fields that may appear.</p>
-
- <p>If a wildcard is used, all fields in the certificate request
- subject alternative name will be copied across unmodified.
- </p>
-
- <p>Field names are limited to <code>otherName</code>, <code>rfc822Name</code>,
- <code>dNSName</code>, <code>x400Address</code>, <code>directoryName</code>,
- <code>ediPartyName</code>, <code>uniformResourceIdentifier</code>,
- <code>iPAddress</code>, or <code>registeredID</code> and are described in
- the <a href="subjects.html"> Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>Pkcs12SubjectAltNameSet Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify an expression that will be included in the
- certificate subject alternative name.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>Pkcs12SubjectAltNameSet field value</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>None</td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify an expression that will be included in the
- certificate subject alternative name.</p>
-
- <p>Field names are limited to <code>otherName</code>, <code>rfc822Name</code>,
- <code>dNSName</code>, <code>x400Address</code>, <code>directoryName</code>,
- <code>ediPartyName</code>, <code>uniformResourceIdentifier</code>,
- <code>iPAddress</code>, or <code>registeredID</code> and are described in
- the <a href="subjects.html"> Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>Pkcs12SubjectRequest Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify parameters in the request that
- will be copied over to the subject in the certificate.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>Pkcs12SubjectRequest field [number]</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12SubjectRequest field 1</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify parameters in the request that will
- be copied over to the certificate's subject, with optional limit to the
- number of fields that may appear.</p>
-
- <p>If a wildcard is used, all fields in the certificate request
- subject alternative name will be copied across unmodified.
- </p>
-
- <p>Subject handling is covered in detail in the <a href="subjects.html">
- Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>Pkcs12SubjectSet Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify an expression that will be included in the
- certificate subject.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>PkcsSubjectSet field value</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>None</td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify an expression that will be included in the
- certificate subject. Subject attribute name is configured first, then
- the expression.</p>
-
- <p>Subject handling is covered in detail in the <a href="subjects.html">
- Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>Pkcs12Iterate Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the number of iterations.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>Pkcs12Iterate iterations</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12Iterate 2048</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the number of iterations. Defaults to 2048.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>Pkcs12Digest Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the mac digest used on the PKCS12.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>Pkcs12Digest digest</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12Digest SHA256</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the mac digest used on the PKCS12. Defaults to SHA256.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>Pkcs12CertificatePBE Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify the certificate PBE algorithm.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>Pkcs12CertificatePBE algorithm</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12CertificatePBE PBE-SHA1-3DES</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify the certificate PBE algorithm. Defaults to PBE-SHA1-3DES.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>Pkcs12KeyPBE Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify the key PBE algorithm.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>Pkcs12KeyPBE algorithm</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12KeyPBE PBE-SHA1-3DES</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify the key PBE algorithm. Defaults to PBE-SHA1-3DES.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>Pkcs12Nickname Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to an expression that resolves to the nickname of the certificate.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>Pkcs12Nickname name</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12Nickname certificate</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to an expression that resolves to the nickname of the certificate. Defaults to "certificate".</p>
-
- </div>
- </section>
-
- </div>
- </div>
- </section>
-
- </div>
- </body>
-</html>
-
Removed: rs-manual/trunk/src/site/xhtml5/mod_scep.xhtml5
==============================================================================
--- rs-manual/trunk/src/site/xhtml5/mod_scep.xhtml5 (original)
+++ rs-manual/trunk/src/site/xhtml5/mod_scep.xhtml5 (removed)
@@ -1,1003 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
- <head>
- <title>mod_scep Module</title>
- </head>
- <body>
- <div class="index align-left">
-
- <section class="wrapper style1 align-center"
- id="introduction">
- <div class="inner">
- <h2>Simple Certificate Enrollment Protocol Module</h2>
- <p>Generate and issue certificates using the SCEP protocol.</p>
-
- <div class="index align-left">
-
- <section>
- <header>
- <h3>What does it do?</h3>
- </header>
- <div class="content">
- <p>
- This module implements a <a href="https://tools.ietf.org/html/draft-gutmann-scep-14">
- Simple Certificate Enrollment Protocol</a> endpoint that is capable of signing
- and issuing certificates on behalf of a suitable client.
- </p>
-
- <p>Based on configuration, parameters can be passed from the
- incoming certificate sign request embedded within the SCEP request, or explicit expressions, and a new
- certificate sign request with
- acceptable parameters is passed to suitably configured backend modules
- for request authorisation,
- certificate signing and issuing, and certificate storage.</p>
-
- <p>
- The following SCEP operations are supported:
- </p>
- <table>
- <tbody>
- <tr>
- <td>GetCACaps</td><td>SCEP CA capabilities.</td>
- </tr>
- <tr>
- <td>GetCACert</td><td>Return the CA certificate and RA certificate for this CA.</td>
- </tr>
- <tr>
- <td>GetNextCACert</td><td>Return the next CA certificate that will be used for future signing.</td>
- </tr>
- <tr>
- <td>PKIOperation PKCSReq</td><td>Request a certificate via a certificate sign request.</td>
- </tr>
- <tr>
- <td>PKIOperation CertPoll (GetCertInitial)</td><td>Poll for a certificate that was previously requested.</td>
- </tr>
- <tr>
- <td>PKIOperation GetCert</td><td>Request a copy of a previously issued certificate.</td>
- </tr>
- </tbody>
- </table>
-
- <p>
- This module can be configured to respond to SCEP client requests as implemented
- by iOS and MacOS.
- </p>
- </div>
- </section>
-
-
- </div>
- </div>
- </section>
-
-
-
- <section class="wrapper style1 align-center" id="integration">
- <div class="inner">
- <h2>Module Integration</h2>
- <p>
- The
- <code>mod_scep</code>
- module is a
- <a href="mod_ca.html#frontend">frontend module</a>
- and will not do anything useful until
- <code>mod_scep</code>
- has been combined with one or
- more
- <a href="mod_ca.html#backend">backend modules</a>
- listed below. The
- <code>mod_scep</code>
- module uses the following hooks to authorise, sign/issue and
- store a
- certificate, and suitable
- <a href="mod_ca.html#backend">backend modules</a>
- must be configured to implement each hook as needed.
- </p>
-
- <p>
- All
- <a href="mod_ca.html#frontend">frontend modules</a>
- run within
- a standard Apache httpd request, and standard httpd functionality
- applies in all cases.
- </p>
-
- <div>
- <img src="images/mod_scep-1.png" style="width: 100%;" />
- </div>
-
- <div class="index align-left">
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_reqauthz">Request Authorization Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This optional hook allows you to verify the parameters
- included with the certificate sign request, such as the
- challenge password. If left unconfigured, all certificate
- requests will be accepted.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_ldap.html#ca_reqauthz">mod_ca_ldap</a>
- </td>
- <td>Allows the certificate sign request to be verified
- against an LDAP directory.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_sign">Sign Request Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This hooks signs the certificate sign request and returns the
- issued certificate. The hook is mandatory, and the request will
- be rejected if left unconfigured.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_disk.html#ca_sign">mod_ca_disk</a>
- </td>
- <td>Allows certificate sign requests to be saved to disk for
- later out of band processing. The response will redirect the
- caller to where the certificate can be collected.</td>
- </tr>
- <tr>
- <td>
- <a href="mod_ca_engine.html#ca_sign">mod_ca_engine</a>
- </td>
- <td>Allows certificate sign requests to be signed by an HSM
- such as a smartcard.</td>
- </tr>
- <tr>
- <td>
- <a href="mod_ca_simple.html#ca_sign">mod_ca_simple</a>
- </td>
- <td>Allows certificate sign requests to be signed by a
- certificate and key specified on disk.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_certstore">Certificate Storage Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This optional hook allows the newly generated certificate to
- be stored locally or in a database or directory. If left
- unconfigured, no local copy of the certificate will be stored.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_ldap.html#ca_certstore">mod_ca_ldap</a>
- </td>
- <td>Saves the newly issued PKCS7 certificate and chain to an
- LDAP directory.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
-
- </div>
-
- <div>
- <img src="images/mod_scep-2.png" style="width: 100%;" />
- </div>
-
- <div class="index align-left">
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_getcert">Get Certificate Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This hook returns certificates that were requested previously and
- generated at a possibly later date or time.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_disk.html#ca_reqauthz">mod_ca_disk</a>
- </td>
- <td>Returns a certificate from a location on disk.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
- </div>
-
- <div>
- <img src="images/mod_scep-3.png" style="width: 100%;" />
- </div>
-
- <div class="index align-left">
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_getca">Get CA Certificate Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This hook returns CA certificates for the given CA.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_engine.html#ca_getca">mod_ca_engine</a>
- </td>
- <td>Returns CA certificates that would sign certificate sign requests by an HSM
- such as a smartcard.</td>
- </tr>
- <tr>
- <td>
- <a href="mod_ca_simple.html#ca_getca">mod_ca_simple</a>
- </td>
- <td>Returns CA certificates that would sign certificate sign requests by a
- certificate and key specified on disk.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_getnextca">Get Next CA Certificate Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This hook returns certificates that were requested previously and
- generated at a possibly later date or time.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_engine.html#ca_getca">mod_ca_engine</a>
- </td>
- <td>Returns the upcoming next CA certificates that would sign
- certificate sign requests by an HSM such as a smartcard.</td>
- </tr>
- <tr>
- <td>
- <a href="mod_ca_simple.html#ca_getca">mod_ca_simple</a>
- </td>
- <td>Returns the upcoming next CA certificates that would sign
- certificate sign requests by a certificate and key specified
- on disk.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
- </div>
-
- </div>
- </section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
- <div class="inner">
- <h2>Examples</h2>
- <div class="index align-left">
-
- <section>
- <header>
- <h3>Basic Example</h3>
- </header>
- <div class="content">
- <p>The simplest case: issue a certificate to anybody who wants
- one.</p>
- <pre>
- <code><![CDATA[
-# backend configuration:
-<IfModule mod_ca_simple.c>
- # sign with this certificate...
- CASimpleCertificate /etc/pki/tls/ca-cert.pem
- # ...and private key
- CASimpleKey /etc/pki/tls/ca-key.pem
- # use system clock as the time source
- CASimpleTime on
- # assign a random serial number
- CASimpleSerialRandom on
-</IfModule>
-
-# frontend configuration:
-<IfModule mod_scep.c>
- <Location /scep>
- SetHandler scep
- # use subject from the certificate sign request unmodified
- ScepSubjectRequest *
- </Location>
-</IfModule>
-]]></code>
- </pre>
- </div>
- </section>
-
- <section>
- <header>
- <h3>Logged In Example</h3>
- </header>
- <div class="content">
- <p>A more typical scenario: issue a certificate to a logged in
- user.</p>
- <p>In this example it is assumed that Apache configuration
- exists that
- authenticates a user against a database, directory, a token, or a previous
- certificate.
- </p>
- <pre>
- <code><![CDATA[
-# backend configuration:
-<IfModule mod_ca_simple.c>
- # sign with this certificate...
- CASimpleCertificate /etc/pki/tls/ca-cert.pem
- # ...and private key
- CASimpleKey /etc/pki/tls/ca-key.pem
- # use system clock as the time source
- CASimpleTime on
- # assign a random serial number
- CASimpleSerialRandom on
-</IfModule>
-
-# frontend configuration:
-<IfModule mod_scep.c>
- <Location /scep>
- SetHandler scep
- # standard Apache authorisation
- Require valid-user
- # set the common name to the logged in username
- ScepSubjectSet CN %{REMOTE_USER}
- # set a fixed OU field in the subject
- ScepSubjectSet OU "Terms and Conditions Apply"
- </Location>
-</IfModule>
-]]></code>
- </pre>
- </div>
- </section>
-
- </div>
- </div>
- </section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
- <div class="inner">
- <h2>Directive Reference</h2>
- <div class="index align-left">
-
- <section>
- <header>
- <h3>ScepCRLURL Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>GetCRL will be redirected to this URL.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>ScepCRLURL url</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>None</td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_scep</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_scep 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>
- If set, attempts at GetCRL will be redirected to this URL.
- GetCRL will be
- rejected with
- <code>400 Bad Request</code>
- otherwise.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>ScepFreshness Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>The max-age of the certificates will be divided by this
- factor.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>ScepFreshness factor [max-seconds]</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>ScepFreshness 2 86400</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_scep</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_scep 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>The age of the certificates will be divided by this factor
- when added as a max-age, set
- to zero to disable. Defaults to "2". An optional maximum value
- can be specified, defaults
- to one day.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>ScepLocation Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set the URL location of the WADL returned by the OPTIONS
- method.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>ScepLocation url</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>ScepLocation [current-URL]</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_scep</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_scep 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set the URL location of the WADL returned by the OPTIONS
- method.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>ScepRACertificate Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the name of the signing certificate.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>ScepRACertificate filename</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>none</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_scep</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_scep 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the name of the signing certificate.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>ScepRAKey Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the name of the signing key.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>ScepRAKey filename</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>none</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_scep</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_scep 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the name of the signing key.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>ScepRANextCertificate Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the name of the next RA signing certificate.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>ScepRANextCertificate filename</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>none</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_scep</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_scep 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the name of the next RA signing certificate.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>ScepSize Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the maximum size of the SCEP request from the
- client.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>ScepSize bytes</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>ScepSize 131072</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_scep</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_scep 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the maximum size of the SCEP request from the client.
- This value cannot be smaller than 4096 bytes.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>ScepSubjectAltNameRequest Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify fields in the certificate request subject
- alternative name that will be copied over to the
- certificate.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>ScepSubjectAltNameRequest field [number]</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>None</td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_scep</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_scep 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify fields in the certificate request subject alternative name that will
- be copied over to the certificate, with optional limit to the
- number of fields that may appear.</p>
-
- <p>If a wildcard is used, all fields in the certificate request
- subject alternative name will be copied across unmodified.
- </p>
-
- <p>Field names are limited to <code>otherName</code>, <code>rfc822Name</code>,
- <code>dNSName</code>, <code>x400Address</code>, <code>directoryName</code>,
- <code>ediPartyName</code>, <code>uniformResourceIdentifier</code>,
- <code>iPAddress</code>, or <code>registeredID</code> and are described in
- the <a href="subjects.html"> Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>ScepSubjectAltNameSet Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify an expression that will be included in the
- certificate subject alternative name.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>ScepSubjectAltNameSet field value</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>None</td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_scep</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_scep 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify an expression that will be included in the
- certificate subject alternative name.</p>
-
- <p>Field names are limited to <code>otherName</code>, <code>rfc822Name</code>,
- <code>dNSName</code>, <code>x400Address</code>, <code>directoryName</code>,
- <code>ediPartyName</code>, <code>uniformResourceIdentifier</code>,
- <code>iPAddress</code>, or <code>registeredID</code> and are described in
- the <a href="subjects.html"> Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>ScepSubjectRequest Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify fields in the certificate request subject that
- will be copied over to the certificate.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>ScepSubjectRequest field [number]</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>ScepSubjectRequest field 1</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_scep</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_scep 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify fields in the certificate request subject that will
- be copied over to the certificate, with optional limit to the
- number of fields that may appear.</p>
-
- <p>If a wildcard is used, all fields in the certificate request
- subject alternative name will be copied across unmodified.
- </p>
-
- <p>Subject handling is covered in detail in the <a href="subjects.html">
- Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>ScepSubjectSet Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify an expression that will be included in the
- certificate subject.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>ScepSubjectSet field value</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>None</td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_scep</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_scep 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify an expression that will be included in the
- certificate subject. Subject attribute name is configured first, then
- the expression.</p>
-
- <p>Subject handling is covered in detail in the <a href="subjects.html">
- Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- </div>
- </div>
- </section>
-
- </div>
- </body>
-</html>
Removed: rs-manual/trunk/src/site/xhtml5/mod_spkac.xhtml5
==============================================================================
--- rs-manual/trunk/src/site/xhtml5/mod_spkac.xhtml5 (original)
+++ rs-manual/trunk/src/site/xhtml5/mod_spkac.xhtml5 (removed)
@@ -1,682 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
- <head>
- <title>mod_spkac Module</title>
- </head>
- <body>
- <div class="index align-left">
-
- <section class="wrapper style1 align-center"
- id="introduction">
- <div class="inner">
- <h2>Signed Public Key and Challenge Module</h2>
- <p>Generate and issue certificates using the SPKAC protocol.</p>
-
- <div class="index align-left">
-
- <section>
- <header>
- <h3>What does it do?</h3>
- </header>
- <div class="content">
- <p>
- This module implements a <a href="https://en.wikipedia.org/wiki/SPKAC">
- Signed Public Key and Challenge</a> endpoint that is capable of signing
- and issuing certificates on behalf of a suitable client.
- </p>
-
- <p>Based on configuration, parameters can be passed from
- optional form parameters, or explicit expressions, and a new
- certificate sign request with
- acceptable parameters is combined with the public key and the
- challenge from the SPKAC parameter and passed to suitably configured
- backend modules for request authorisation,
- certificate signing and issuing, and certificate storage.</p>
-
- <p>
- This module can be configured to respond to SPKAC client requests as
- implemented by conformant implementations of HTML5.2 and earlier.
- </p>
- </div>
- </section>
-
-
- </div>
- </div>
- </section>
-
-
-
- <section class="wrapper style1 align-center" id="integration">
- <div class="inner">
- <h2>Module Integration</h2>
- <p>
- The
- <code>mod_spkac</code>
- module is a
- <a href="mod_ca.html#frontend">frontend module</a>
- and will not do anything useful until
- <code>mod_spkac</code>
- has been combined with one or
- more
- <a href="mod_ca.html#backend">backend modules</a>
- listed below. The
- <code>mod_spkac</code>
- module uses the following hooks to authorise, sign/issue and
- store a
- certificate, and suitable
- <a href="mod_ca.html#backend">backend modules</a>
- must be configured to implement each hook as needed.
- </p>
-
- <p>
- All
- <a href="mod_ca.html#frontend">frontend modules</a>
- run within
- a standard Apache httpd request, and standard httpd functionality
- applies in all cases.
- </p>
-
- <div>
- <img src="images/mod_spkac-1.png" style="width: 100%;" />
- </div>
-
- <div class="index align-left">
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_reqauthz">Request Authorization Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This optional hook allows you to verify the parameters
- included with the certificate sign request, such as the
- challenge password. If left unconfigured, all certificate
- requests will be accepted.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_ldap.html#ca_reqauthz">mod_ca_ldap</a>
- </td>
- <td>Allows the certificate sign request to be verified
- against an LDAP directory.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_sign">Sign Request Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This hooks signs the certificate sign request and returns the
- issued certificate. The hook is mandatory, and the request will
- be rejected if left unconfigured.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_disk.html#ca_sign">mod_ca_disk</a>
- </td>
- <td>Allows certificate sign requests to be saved to disk for
- later out of band processing. The response will redirect the
- caller to where the certificate can be collected.</td>
- </tr>
- <tr>
- <td>
- <a href="mod_ca_engine.html#ca_sign">mod_ca_engine</a>
- </td>
- <td>Allows certificate sign requests to be signed by an HSM
- such as a smartcard.</td>
- </tr>
- <tr>
- <td>
- <a href="mod_ca_simple.html#ca_sign">mod_ca_simple</a>
- </td>
- <td>Allows certificate sign requests to be signed by a
- certificate and key specified on disk.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
- <section>
- <header>
- <h3>
- <a href="mod_ca.html#ca_certstore">Certificate Storage Hook</a>
- </h3>
- </header>
- <div class="content">
- <p>This optional hook allows the newly generated certificate to
- be stored locally or in a database or directory. If left
- unconfigured, no local copy of the certificate will be stored.</p>
- <table>
- <tbody>
- <tr>
- <td>
- <a href="mod_ca_ldap.html#ca_certstore">mod_ca_ldap</a>
- </td>
- <td>Saves the newly issued PKCS7 certificate and chain to an
- LDAP directory.</td>
- </tr>
- </tbody>
- </table>
- </div>
- </section>
-
-
- </div>
-
- </div>
- </section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
- <div class="inner">
- <h2>Examples</h2>
- <div class="index align-left">
-
- <section>
- <header>
- <h3>Basic Example</h3>
- </header>
- <div class="content">
- <p>The simplest case: issue a certificate to anybody who wants
- one.</p>
- <pre>
- <code><![CDATA[
-# backend configuration:
-<IfModule mod_ca_simple.c>
- # sign with this certificate...
- CASimpleCertificate /etc/pki/tls/ca-cert.pem
- # ...and private key
- CASimpleKey /etc/pki/tls/ca-key.pem
- # use system clock as the time source
- CASimpleTime on
- # assign a random serial number
- CASimpleSerialRandom on
-</IfModule>
-
-# frontend configuration:
-<IfModule mod_spkac.c>
- <Location /spkac>
- SetHandler spkac
- # use subject from the certificate sign request unmodified
- SpkacSubjectRequest *
- </Location>
-</IfModule>
-]]></code>
- </pre>
- </div>
- </section>
-
- <section>
- <header>
- <h3>Logged In Example</h3>
- </header>
- <div class="content">
- <p>A more typical scenario: issue a certificate to a logged in
- user.</p>
- <p>In this example it is assumed that Apache configuration
- exists that
- authenticates a user against a database, directory, a token, or a previous
- certificate.
- </p>
- <pre>
- <code><![CDATA[
-# backend configuration:
-<IfModule mod_ca_simple.c>
- # sign with this certificate...
- CASimpleCertificate /etc/pki/tls/ca-cert.pem
- # ...and private key
- CASimpleKey /etc/pki/tls/ca-key.pem
- # use system clock as the time source
- CASimpleTime on
- # assign a random serial number
- CASimpleSerialRandom on
-</IfModule>
-
-# frontend configuration:
-<IfModule mod_spkac.c>
- <Location /spkac>
- SetHandler spkac
- # standard Apache authorisation
- Require valid-user
- # set the common name to the logged in username
- SpkacSubjectSet CN %{REMOTE_USER}
- # set a fixed OU field in the subject
- SpkacSubjectSet OU "Terms and Conditions Apply"
- </Location>
-</IfModule>
-]]></code>
- </pre>
- </div>
- </section>
-
- </div>
- </div>
- </section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
- <div class="inner">
- <h2>Directive Reference</h2>
- <div class="index align-left">
-
- <section>
- <header>
- <h3>SpkacLocation Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set the URL location of the WADL returned by the OPTIONS
- method.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>SpkacLocation url</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>SpkacLocation [current-URL]</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_spkac</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_spkac 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set the URL location of the WADL returned by the OPTIONS
- method.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>SpkacSize Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the maximum size of the SPKAC request from the
- client.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>SpkacSize bytes</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>SpkacSize 131072</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_spkac</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_spkac 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the maximum size of the SPKAC request from the client.
- This value cannot be smaller than 4096 bytes.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>SpkacName Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Set to the form name of the SPKAC request from the
- client.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>SpkacName string</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>SpkacName key</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td><a href="mod_ca.html#frontend">Frontend</a></td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_spkac</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_spkac 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Set to the name of the form parameter containing the SPKAC request
- from the client.</p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>SpkacSubjectAltNameRequest Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify fields in the form that will be copied over to the subject
- alternative name of the certificate.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>SpkacSubjectAltNameRequest field [number]</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>None</td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_spkac</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_spkac 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify fields in the form that will be copied over to the subject
- alternative name of the certificate, with optional limit to the
- number of fields that may appear.</p>
-
- <p>Fields in the form are expected to be prefixed with the string
- <code>subjectAltName-</code> which will stripped before comparing to
- names set by this directive.
- </p>
-<!--
- <p>If a wildcard is used, all fields in the certificate request
- subject alternative name will be copied across unmodified.
- </p>
--->
-
- <p>Field names are limited to <code>otherName</code>, <code>rfc822Name</code>,
- <code>dNSName</code>, <code>x400Address</code>, <code>directoryName</code>,
- <code>ediPartyName</code>, <code>uniformResourceIdentifier</code>,
- <code>iPAddress</code>, or <code>registeredID</code> and are described in
- the <a href="subjects.html"> Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>SpkacSubjectAltNameSet Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify an expression that will be included in the
- certificate subject alternative name.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>SpkacSubjectAltNameSet field value</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>None</td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_spkac</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_spkac 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify an expression that will be included in the
- certificate subject alternative name.</p>
-
- <p>Field names are limited to <code>otherName</code>, <code>rfc822Name</code>,
- <code>dNSName</code>, <code>x400Address</code>, <code>directoryName</code>,
- <code>ediPartyName</code>, <code>uniformResourceIdentifier</code>,
- <code>iPAddress</code>, or <code>registeredID</code> and are described in
- the <a href="subjects.html"> Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>SpkacSubjectRequest Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify fields in the form that
- will be copied over to the certificate subject.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>SpkacSubjectRequest field [number]</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>SpkacSubjectRequest field 1</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_spkac</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_spkac 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify fields in the form that will
- be copied over to the certificate subject, with optional limit to the
- number of fields that may appear.</p>
-
-<!--
- <p>If a wildcard is used, all fields in the certificate request
- subject alternative name will be copied across unmodified.
- </p>
--->
-
- <p>Subject handling is covered in detail in the <a href="subjects.html">
- Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- <section>
- <header>
- <h3>SpkacSubjectSet Directive</h3>
- </header>
- <div class="content">
-
- <table>
- <tbody>
- <tr>
- <td>Description</td>
- <td>Specify an expression that will be included in the
- certificate subject.</td>
- </tr>
- <tr>
- <td>Syntax</td>
- <td>
- <code>SpkacSubjectSet field value</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>None</td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_spkac</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_spkac 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
- <p>Specify an expression that will be included in the
- certificate subject. Subject attribute name is configured first, then
- the expression.</p>
-
- <p>Subject handling is covered in detail in the <a href="subjects.html">
- Subjects and Subject Alternative Names</a> section.
- </p>
-
- </div>
- </section>
-
- </div>
- </div>
- </section>
-
- </div>
- </body>
-</html>
More information about the rs-commit
mailing list