[rs-commit] r259 - /rs-manual/trunk/src/site/xhtml5/mod/mod_pkcs12.xhtml5
rs-commit at redwax.eu
rs-commit at redwax.eu
Fri Jan 10 14:32:19 CET 2020
Author: dirkx at redwax.eu
Date: Fri Jan 10 14:32:18 2020
New Revision: 259
Log:
Update the PKCS#12 example; add a few extra lines to make it work out of the box.
Modified:
rs-manual/trunk/src/site/xhtml5/mod/mod_pkcs12.xhtml5
Modified: rs-manual/trunk/src/site/xhtml5/mod/mod_pkcs12.xhtml5
==============================================================================
--- rs-manual/trunk/src/site/xhtml5/mod/mod_pkcs12.xhtml5 (original)
+++ rs-manual/trunk/src/site/xhtml5/mod/mod_pkcs12.xhtml5 Fri Jan 10 14:32:18 2020
@@ -3,13 +3,11 @@
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>mod_pkcs12 Module</title>
- <meta name="description" content="Generate public/private key pairs and and issue certificates in response
- to a application/x-www-form-urlencoded form request." />
- <meta name="mod-ca-type" content="frontend" />
- <link rel="canonical" href="https://redwax.eu/rs/docs/latest/mod/mod_pkcs12.html" />
+ <meta name="description" content="Generate public/private key pairs and and issue certificates in response to a application/x-www-form-urlencoded form request."/>
+ <meta name="mod-ca-type" content="frontend"/>
+ <link rel="canonical" href="https://redwax.eu/rs/docs/latest/mod/mod_pkcs12.html"/>
</head>
<body>
-
<section class="spotlight style2 orient-right content-align-left image-position-left">
<div class="content null">
<h2>PKCS12 Module</h2>
@@ -17,18 +15,13 @@
to a <code>application/x-www-form-urlencoded</code> form request.</p>
</div>
<div class="image">
- <img src="../images/candles-red.jpg" alt="" />
+ <img src="../images/candles-red.jpg" alt=""/>
</div>
</section>
-
<div class="none">
-
- <section class="wrapper style1 align-center"
- id="introduction">
+ <section class="wrapper style1 align-center" id="introduction">
<div class="inner">
-
<div class="index align-left">
-
<section>
<header>
<h3>What does it do?</h3>
@@ -40,30 +33,22 @@
form submission request
containing optional parameters.
</p>
-
<p>Based on configuration, optional form parameters can be passed from the
incoming request, or explicit expressions, and a new
certificate sign request with
acceptable parameters is passed to suitably configured backend modules
for request authorisation,
certificate signing and issuing, and certificate storage.</p>
-
<p>
The resulting certificate chain and private key is returned as a DER
encoded PKCS12
certificate and key.
</p>
-
- </div>
- </section>
-
-
+ </div>
+ </section>
</div>
</div>
</section>
-
-
-
<section class="wrapper style1 align-center" id="integration">
<div class="inner">
<h2>Module Integration</h2>
@@ -85,19 +70,15 @@
<a href="mod_ca.html#backend">backend modules</a>
must be configured to implement each hook as needed.
</p>
-
<p>
All <a href="mod_ca.html#frontend">frontend modules</a> run within
a standard Apache httpd request, and standard httpd functionality
applies in all cases.
</p>
-
<div>
- <img src="../images/mod_pkcs12.png" style="width: 100%;" />
+ <img src="../images/mod_pkcs12.png" style="width: 100%;"/>
</div>
-
<div class="index align-left">
-
<section>
<header>
<h3>
@@ -122,7 +103,6 @@
</table>
</div>
</section>
-
<section>
<header>
<h3>
@@ -144,7 +124,6 @@
</table>
</div>
</section>
-
<section>
<header>
<h3>
@@ -183,7 +162,6 @@
</table>
</div>
</section>
-
<section>
<header>
<h3>
@@ -207,50 +185,116 @@
</table>
</div>
</section>
-
-
</div>
</div>
</section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
+ <section class="wrapper style1 align-center" id="directive-reference">
<div class="inner">
<h2>Examples</h2>
<div class="index align-left">
-
<section>
<header>
<h3>Basic Example</h3>
</header>
<div class="content">
- <p>The simplest case: issue a certificate to anybody who wants one.</p>
-<pre><code><![CDATA[
+ <p>The simplest case: issue a certificate to anybody who wants one. And we trust whatever values they want to have in the 'Subject' of the certificate.</p>
+ <pre>
+ <code><![CDATA[
# backend configuration:
-<IfModule mod_ca_simple.c>
- # sign with this certificate...
- CASimpleCertificate /etc/pki/tls/ca-cert.pem
- # ...and private key
- CASimpleKey /etc/pki/tls/ca-key.pem
- # use system clock as the time source
- CASimpleTime on
- # assign a random serial number
- CASimpleSerialRandom on
-</IfModule>
-
-# frontend configuration:
-<IfModule mod_pkcs12.c>
- <Location /pkcs12>
- SetHandler pkcs12
- # use subject from the certificate sign request unmodified
- Pkcs12SubjectRequest *
- </Location>
-</IfModule>
-]]></code></pre>
- </div>
- </section>
-
+
+# Sign the certificates we ussue with this certificate.
+# If needed - generate one for testing with:
+# openssl req -new -x509 -nodes \
+# -subj /CN=TheCA/O=Me/L=Here/C=EU \
+# -out /etc/pki/tls/ca-cert.pem \
+# -keyout /etc/pki/tls/ca-key.pem
+#
+CASimpleCertificate /etc/pki/tls/ca-cert.pem
+CASimpleKey /etc/pki/tls/ca-key.pem
+
+# use system clock as the time source
+CASimpleTime on
+
+# assign a random serial number
+CASimpleSerialRandom on
+
+# Specify the algorithm to use when
+# generating a key; use:
+#
+# openssl list -public-key-algorithms
+#
+# to get a complete list of supported algorithms.
+#
+CASimpleAlgorithm RSA
+
+Loglevel debug
+
+<Location /pkcs12>
+ SetHandler pkcs12
+ # use subject from the certificate sign request unmodified,
+ # accept anything. Up to 99 'RDN' values in total.
+ Pkcs12SubjectRequest * 99
+</Location>
+]]></code>
+ </pre>
+ <p> Now, from a governance perspective, one generally does not allow
+ the user to specify everything.</p>
+ <p> So a more realistic Location block is shown below. Where
+ one allows the user to specify the Common Name (CN) and the Organisational
+ Unit (OU); but with the Organisation(O), Locality(L) and Country(C)
+ to forced to an appropriate value.</p>
+ <pre>
+ <code><![CDATA[
+<Location /pkcs12>
+ Pkcs12SubjectRequest CN 1
+ Pkcs12SubjectRequest OU 1
+ Pkcs12SubjectSet O "Demo Services Ltd"
+ Pkcs12SubjectSet L "Capital City"
+ Pkcs12SubjectSet C "EU"
+</Location>
+]]></code>
+ </pre>
+ <p>One would normally enage with this endpoint (/pkcs12) with a some javascript from the browser or as a simple form, such as for example:</p>
+ <pre>
+ <code><![CDATA[
+<form method=post action="/pkcs12">
+ Name: <input name="subject-CN" value="Alice"/>
+ <br/>
+ Department: <input name="subject-OU" value="Vermin Handling Department"/>
+ <br/>
+ Temporary password: <input name="challenge" value="s3cr!t"/>
+ <p/>
+ <input type=submit value="generate"/><br/>
+</form>
+]]></code>
+ </pre>
+ <p>Or alternatively - a curl example is shown below.</p>
+ <pre>
+ <code><![CDATA[
+# Fetch a client certificate as a P12 for the user Alice (CN)
+# with an `Organisational Unit' specified as well. The other
+# fields (Country(C), Locality(L), etc) are locked down servr
+# side. Curl saves this to a file (client.p12):
+#
+curl -o client.p12 -vvvv --silent \
+ --data-urlencode subject-CN=Alice \
+ --data-urlencode subject-OU="Vermin Handling" \
+ --data-urlencode challenge=s3cr1t \
+ http://localhost:80/pkcs12
+
+# Decode the PKCS12 file into a PEM cert/key; using the
+# challenge to decrypt the outer package.
+#
+openssl pkcs12 -password pass:s3cr!t -nodes -nokeys -out client.pem
+
+# And show what is in the PEM file:
+#
+openssl x509 -text -noout iin client.pem
+
+]]></code>
+ </pre>
+ </div>
+ </section>
<section>
<header>
<h3>Logged In Example</h3>
@@ -259,54 +303,72 @@
<p>A more typical scenario: issue a certificate to a logged in user.</p>
<p>In this example it is assumed that Apache configuration exists that
authenticates a user against a database, directory, a token, or a previous
- certificate.
+ certificate. We also set a more realistic set of CA extension values and limit the validity to 31 days. And rather than letting the user pick the CN with a <code>subject-CN</code> POST value - we force it to be identical to the value the user authenticated as.
</p>
-<pre><code><![CDATA[
+ <pre>
+ <code><![CDATA[
# backend configuration:
-<IfModule mod_ca_simple.c>
- # sign with this certificate...
- CASimpleCertificate /etc/pki/tls/ca-cert.pem
- # ...and private key
- CASimpleKey /etc/pki/tls/ca-key.pem
- # use system clock as the time source
- CASimpleTime on
- # assign a random serial number
- CASimpleSerialRandom on
-</IfModule>
+# sign with this certificate...
+CASimpleCertificate /etc/pki/tls/ca-cert.pem
+
+# ...and private key
+CASimpleKey /etc/pki/tls/ca-key.pem
+
+# use system clock as the time source
+CASimpleTime on
+
+# assign a random serial number
+CASimpleSerialRandom on
+
+# Specify the algorithm to use when
+# generating a key; use:
+#
+# openssl list -public-key-algorithms
+#
+# to get a complete list of supported algorithms.
+#
+CASimpleAlgorithm RSA
+
+# Typical extensions expected.
+CASimpleExtension basicConstraints CA:FALSE
+CASimpleExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
+CASimpleExtension subjectKeyIdentifier hash
+CASimpleExtension authorityKeyIdentifier keyid,issuer
+
+# See rfc5280 -- id-kp-clientAuth
+CASimpleExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
+
+CASimpleDays 31
# frontend configuration:
-<IfModule mod_pkcs12.c>
<Location /pkcs12>
SetHandler pkcs12
+
# standard Apache authorisation
Require valid-user
+
# set the common name to the logged in username
Pkcs12SubjectSet CN %{REMOTE_USER}
+
# set a fixed OU field in the subject
Pkcs12SubjectSet OU "Terms and Conditions Apply"
</Location>
-</IfModule>
-]]></code></pre>
- </div>
- </section>
-
+]]></code>
+ </pre>
+ </div>
+ </section>
</div>
</div>
</section>
-
-
- <section class="wrapper style1 align-center"
- id="directive-reference">
+ <section class="wrapper style1 align-center" id="directive-reference">
<div class="inner">
<h2>Directive Reference</h2>
<div class="index align-left">
-
<section id="directive-Pkcs12Size">
<header>
- <h3>Pkcs12<wbr />Size Directive</h3>
- </header>
- <div class="content">
-
+ <h3>Pkcs12<wbr/>Size Directive</h3>
+ </header>
+ <div class="content">
<table>
<tbody>
<tr>
@@ -317,49 +379,45 @@
<tr>
<td>Syntax</td>
<td>
- <code>Pkcs12<wbr />Size bytes</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12<wbr />Size 131072</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
+ <code>Pkcs12<wbr/>Size bytes</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>Pkcs12<wbr/>Size 131072</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#frontend">Frontend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_pkcs12</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
<p>Set to the maximum size of the form request from the client.
This value cannot be smaller than 4096 bytes.</p>
-
- </div>
- </section>
-
+ </div>
+ </section>
<section id="directive-Pkcs12ParamChallenge">
<header>
- <h3>Pkcs12<wbr />ParamChallenge Directive</h3>
- </header>
- <div class="content">
-
+ <h3>Pkcs12<wbr/>ParamChallenge Directive</h3>
+ </header>
+ <div class="content">
<table>
<tbody>
<tr>
@@ -370,48 +428,44 @@
<tr>
<td>Syntax</td>
<td>
- <code>Pkcs12<wbr />ParamChallenge param</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12<wbr />ParamChallenge challenge</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
+ <code>Pkcs12<wbr/>ParamChallenge param</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>Pkcs12<wbr/>ParamChallenge challenge</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#frontend">Frontend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_pkcs12</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
<p>Set the name of the form parameter containing the challenge.</p>
-
- </div>
- </section>
-
+ </div>
+ </section>
<section id="directive-Pkcs12ParamNickname">
<header>
- <h3>Pkcs12<wbr />ParamNickname Directive</h3>
- </header>
- <div class="content">
-
+ <h3>Pkcs12<wbr/>ParamNickname Directive</h3>
+ </header>
+ <div class="content">
<table>
<tbody>
<tr>
@@ -421,48 +475,44 @@
<tr>
<td>Syntax</td>
<td>
- <code>Pkcs12<wbr />ParamNickname param</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12<wbr />ParamNickname challenge</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
+ <code>Pkcs12<wbr/>ParamNickname param</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>Pkcs12<wbr/>ParamNickname challenge</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#frontend">Frontend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_pkcs12</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
<p>Set to the name of the request variable from the client containing the certificate nickname. Overrides the Pkcs12Nickname directive.</p>
-
- </div>
- </section>
-
+ </div>
+ </section>
<section id="directive-Pkcs12Location">
<header>
- <h3>Pkcs12<wbr />Location Directive</h3>
- </header>
- <div class="content">
-
+ <h3>Pkcs12<wbr/>Location Directive</h3>
+ </header>
+ <div class="content">
<table>
<tbody>
<tr>
@@ -473,49 +523,45 @@
<tr>
<td>Syntax</td>
<td>
- <code>Pkcs12<wbr />Location url</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12<wbr />Location [current-URL]</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
+ <code>Pkcs12<wbr/>Location url</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>Pkcs12<wbr/>Location [current-URL]</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#frontend">Frontend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_pkcs12</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
<p>Set the URL location of the WADL returned by the OPTIONS
method.</p>
-
- </div>
- </section>
-
+ </div>
+ </section>
<section id="directive-Pkcs12SubjectAltNameRequest">
<header>
- <h3>Pkcs12<wbr />SubjectAltName<wbr />Request Directive</h3>
- </header>
- <div class="content">
-
+ <h3>Pkcs12<wbr/>SubjectAltName<wbr/>Request Directive</h3>
+ </header>
+ <div class="content">
<table>
<tbody>
<tr>
@@ -526,7 +572,7 @@
<tr>
<td>Syntax</td>
<td>
- <code>Pkcs12<wbr />SubjectAltName<wbr />Request field [number]</code>
+ <code>Pkcs12<wbr/>SubjectAltName<wbr/>Request field [number]</code>
</td>
</tr>
<tr>
@@ -554,31 +600,25 @@
</tr>
</tbody>
</table>
-
<p>Specify parameters in the form that will
be copied over to the certificate, with optional limit to the
number of fields that may appear.</p>
-
<p>If a wildcard is used, all fields in the certificate request
subject alternative name will be copied across unmodified.
</p>
-
<p>Field names are limited to <code>otherName</code>, <code>rfc822Name</code>,
<code>dNSName</code>, <code>x400Address</code>, <code>directoryName</code>,
<code>ediPartyName</code>, <code>uniformResourceIdentifier</code>,
<code>iPAddress</code>, or <code>registeredID</code> and are described in
the <a href="subjects.html"> Subjects and Subject Alternative Names</a> section.
</p>
-
- </div>
- </section>
-
+ </div>
+ </section>
<section id="directive-Pkcs12SubjectAltNameSet">
<header>
- <h3>Pkcs12<wbr />SubjectAltName<wbr />Set Directive</h3>
- </header>
- <div class="content">
-
+ <h3>Pkcs12<wbr/>SubjectAltName<wbr/>Set Directive</h3>
+ </header>
+ <div class="content">
<table>
<tbody>
<tr>
@@ -589,7 +629,7 @@
<tr>
<td>Syntax</td>
<td>
- <code>Pkcs12<wbr />SubjectAltName<wbr />Set field value</code>
+ <code>Pkcs12<wbr/>SubjectAltName<wbr/>Set field value</code>
</td>
</tr>
<tr>
@@ -617,26 +657,21 @@
</tr>
</tbody>
</table>
-
<p>Specify an expression that will be included in the
certificate subject alternative name.</p>
-
<p>Field names are limited to <code>otherName</code>, <code>rfc822Name</code>,
<code>dNSName</code>, <code>x400Address</code>, <code>directoryName</code>,
<code>ediPartyName</code>, <code>uniformResourceIdentifier</code>,
<code>iPAddress</code>, or <code>registeredID</code> and are described in
the <a href="subjects.html"> Subjects and Subject Alternative Names</a> section.
</p>
-
- </div>
- </section>
-
+ </div>
+ </section>
<section id="directive-Pkcs12SubjectRequest">
<header>
- <h3>Pkcs12<wbr />SubjectRequest Directive</h3>
- </header>
- <div class="content">
-
+ <h3>Pkcs12<wbr/>SubjectRequest Directive</h3>
+ </header>
+ <div class="content">
<table>
<tbody>
<tr>
@@ -647,58 +682,52 @@
<tr>
<td>Syntax</td>
<td>
- <code>Pkcs12<wbr />SubjectRequest field [number]</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12<wbr />SubjectRequest field 1</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
+ <code>Pkcs12<wbr/>SubjectRequest field [number]</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>Pkcs12<wbr/>SubjectRequest field 1</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#frontend">Frontend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_pkcs12</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
<p>Specify parameters in the request that will
be copied over to the certificate's subject, with optional limit to the
number of fields that may appear.</p>
-
<p>If a wildcard is used, all fields in the certificate request
subject alternative name will be copied across unmodified.
</p>
-
<p>Subject handling is covered in detail in the <a href="subjects.html">
Subjects and Subject Alternative Names</a> section.
</p>
-
- </div>
- </section>
-
+ </div>
+ </section>
<section id="directive-Pkcs12SubjectSet">
<header>
- <h3>Pkcs12<wbr />SubjectSet Directive</h3>
- </header>
- <div class="content">
-
+ <h3>Pkcs12<wbr/>SubjectSet Directive</h3>
+ </header>
+ <div class="content">
<table>
<tbody>
<tr>
@@ -709,7 +738,7 @@
<tr>
<td>Syntax</td>
<td>
- <code>Pkcs<wbr />SubjectSet field value</code>
+ <code>Pkcs<wbr/>SubjectSet field value</code>
</td>
</tr>
<tr>
@@ -737,24 +766,19 @@
</tr>
</tbody>
</table>
-
<p>Specify an expression that will be included in the
certificate subject. Subject attribute name is configured first, then
the expression.</p>
-
<p>Subject handling is covered in detail in the <a href="subjects.html">
Subjects and Subject Alternative Names</a> section.
</p>
-
- </div>
- </section>
-
+ </div>
+ </section>
<section id="directive-Pkcs12Iterate">
<header>
- <h3>Pkcs12<wbr />Iterate Directive</h3>
- </header>
- <div class="content">
-
+ <h3>Pkcs12<wbr/>Iterate Directive</h3>
+ </header>
+ <div class="content">
<table>
<tbody>
<tr>
@@ -764,48 +788,44 @@
<tr>
<td>Syntax</td>
<td>
- <code>Pkcs12<wbr />Iterate iterations</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12<wbr />Iterate 2048</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
+ <code>Pkcs12<wbr/>Iterate iterations</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>Pkcs12<wbr/>Iterate 2048</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#frontend">Frontend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_pkcs12</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
<p>Set to the number of iterations. Defaults to 2048.</p>
-
- </div>
- </section>
-
+ </div>
+ </section>
<section id="directive-Pkcs12Digest">
<header>
- <h3>Pkcs12<wbr />Digest Directive</h3>
- </header>
- <div class="content">
-
+ <h3>Pkcs12<wbr/>Digest Directive</h3>
+ </header>
+ <div class="content">
<table>
<tbody>
<tr>
@@ -815,48 +835,44 @@
<tr>
<td>Syntax</td>
<td>
- <code>Pkcs12<wbr />Digest digest</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12<wbr />Digest SHA256</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
+ <code>Pkcs12<wbr/>Digest digest</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>Pkcs12<wbr/>Digest SHA256</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#frontend">Frontend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_pkcs12</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
<p>Set to the mac digest used on the PKCS12. Defaults to SHA256.</p>
-
- </div>
- </section>
-
+ </div>
+ </section>
<section id="directive-Pkcs12CertificatePBE">
<header>
- <h3>Pkcs12<wbr />CertificatePBE Directive</h3>
- </header>
- <div class="content">
-
+ <h3>Pkcs12<wbr/>CertificatePBE Directive</h3>
+ </header>
+ <div class="content">
<table>
<tbody>
<tr>
@@ -866,48 +882,44 @@
<tr>
<td>Syntax</td>
<td>
- <code>Pkcs12<wbr />CertificatePBE algorithm</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12<wbr />CertificatePBE PBE-SHA1-3DES</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
+ <code>Pkcs12<wbr/>CertificatePBE algorithm</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>Pkcs12<wbr/>CertificatePBE PBE-SHA1-3DES</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#frontend">Frontend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_pkcs12</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
<p>Specify the certificate PBE algorithm. Defaults to PBE-SHA1-3DES.</p>
-
- </div>
- </section>
-
+ </div>
+ </section>
<section id="directive-Pkcs12KeyPBE">
<header>
- <h3>Pkcs12<wbr />KeyPBE Directive</h3>
- </header>
- <div class="content">
-
+ <h3>Pkcs12<wbr/>KeyPBE Directive</h3>
+ </header>
+ <div class="content">
<table>
<tbody>
<tr>
@@ -917,48 +929,44 @@
<tr>
<td>Syntax</td>
<td>
- <code>Pkcs12<wbr />KeyPBE algorithm</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12<wbr />KeyPBE PBE-SHA1-3DES</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
+ <code>Pkcs12<wbr/>KeyPBE algorithm</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>Pkcs12<wbr/>KeyPBE PBE-SHA1-3DES</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#frontend">Frontend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_pkcs12</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
<p>Specify the key PBE algorithm. Defaults to PBE-SHA1-3DES.</p>
-
- </div>
- </section>
-
+ </div>
+ </section>
<section id="directive-Pkcs12Nickname">
<header>
- <h3>Pkcs12<wbr />Nickname Directive</h3>
- </header>
- <div class="content">
-
+ <h3>Pkcs12<wbr/>Nickname Directive</h3>
+ </header>
+ <div class="content">
<table>
<tbody>
<tr>
@@ -968,47 +976,42 @@
<tr>
<td>Syntax</td>
<td>
- <code>Pkcs12<wbr />Nickname name</code>
- </td>
- </tr>
- <tr>
- <td>Default</td>
- <td>
- <code>Pkcs12<wbr />Nickname certificate</code>
- </td>
- </tr>
- <tr>
- <td>Context</td>
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
- <tr>
- <td>Status</td>
- <td>
- <a href="mod_ca.html#frontend">Frontend</a>
- </td>
- </tr>
- <tr>
- <td>Module</td>
- <td>mod_pkcs12</td>
- </tr>
- <tr>
- <td>Compatibility</td>
- <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
- Server 2.4.0 and later</td>
- </tr>
- </tbody>
- </table>
-
+ <code>Pkcs12<wbr/>Nickname name</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>Pkcs12<wbr/>Nickname certificate</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#frontend">Frontend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_pkcs12</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_pkcs12 0.2.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
<p>Set to an expression that resolves to the nickname of the certificate. Defaults to "certificate".</p>
-
- </div>
- </section>
-
+ </div>
+ </section>
</div>
</div>
</section>
-
</div>
</body>
</html>
-
More information about the rs-commit
mailing list