[Pi3web-users] How to configure Pi3Web for SSL

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I received some individual questions regarding configuration advise for
the PHP4 and SSL features this week. Here're my answers as CC to this list.
Maybe this will help other people.

How to configure Pi3Web 2.0 for SSL:

The procedure to setup an HTTPS site depends a bit on the operating system.
I assume Windows, if you're under Linux or Solaris, I'm pretty sure you know
how to use the following description.

Don't use the enhanced (graphical) interface to start the server, but
type in (when the server is stopped):

c:
cd \Pi3Web\bin
.\Pi3 ..\Conf\SSL.pi3

This is an 'out of the box' SSL configuration for demonstration, coming
with a self-signed server certificate (Explicite warning: Not for production
server!). The SSL options are based on the openssl API's and described
in the Pi3Web documentation: http://localhost/pidocs/Objects/SSL.html.

It depends on the purpose of the HTTPS site you plan, if you need a Global
Server ID or maybe a self-signed certificate is sufficient for an SSL
intranet.

The procedure of creation and enrollment of a CSR (Certificate Signing
Request) depends on the CA, so I can't give concrete advise for this step.
But you can get information on the websites of the CA's about this.

================================================================================

P.S.: The certificates shipped in the Pi3Web distribution are intentional
outdated. Your browser will create a warning, but HTTPS will work, if you
ignore it.

A few additional remarks:

- Key generation, CSR creation, cert. signing, update server
Basically a private+public key is generated, the private key should never
leave your computer. Based on the public key there's a CSR generated, which
has to be send to the CA for signing. You will get back a X.509 certificate.
You've to place the private key, the server certificate and the CA-certificate
in the configured places (as in SSL.pi3).

- Demo-CA
There's a demo CA. I wrote it for demonstration purposes only and it can create both
server and client certificates. Basically it is a web frontend for openssl using the
features of Netscape and MSIE for key- and CSR-generation (much version dependencies
for MSIE) and certificate download.
You can get it, in order to produce your own keys and certificates (I think some
knowledge, how cryptography, openssl and a CA works is required), from the following
location: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pi3web/DemoCA/.
Further you need perl (for the CGI's) and the openssl 0.95/0.96 binaries (contained
in most linux distributions otherwise refer to www.openssl.org) for your platform.
This demo CA framework isn't part of Pi3Web but a very good subject for learning and
research on openssl, HTTPS, browser technologies, Pi3Web, CGI, perl.

- Extended configuration
SSL.pi3 does only demonstrate HTTPS but isn't working as GUI based configuration.
If you want this, you've to merge the SSL related sections into Config.pi3.

Don't hestitate to ask me back if you need further advise.
-- 
regards
Holger

TMTOWTDI - There's More Than One Way To Do It - Perl motto
----------------------------------------------------------
Holger 'zimpel' Zimmermann 
----------------------------------------------------------
Wendishain                    
Germany                       
----------------------------------------------------------
http://home.t-online.de/home/zimpel/
http://pi3web.sourceforge.net/

mailto:zi...@t-...
----------------------------------------------------------