This example configures three secure repositories named repo1, repo2, and repo3. The repo1 and repo2 repositories are configured with dedicated certificates. Therefore, certificates for repo1 will not work on repo2, and certificates for repo2 will not work on repo1. The repo3 repository is configured to accept either certificate.
The example assumes you have a proper server certificate for your Apache instance already available. If you do not have a server certificate for your Apache instance, see the instructions for creating a test certificate in Creating a Self-Signed Server Certificate Authority.
The three repositories are set up under https://pkg-sec.example.com/repo1, https://pkg-sec.example.com/repo2, and https://pkg-sec.example.com/repo3. These repositories point to depot servers set up at http://internal.example.com on ports 10001, 10002, and 10003 respectively. Make sure the SOFTTOKEN_DIR environment variable is set correctly as described in Creating a Keystore.
$ pktool gencert label=repo1_ca subject="CN=repo1" serial=0x01 $ pktool export objtype=cert label=repo1_ca outformat=pem \ outfile=repo1_ca.pem
$ pktool gencert label=repo2_ca subject="CN=repo2" serial=0x01 $ pktool export objtype=cert label=repo2_ca outformat=pem \ outfile=repo2_ca.pem
$ cat repo1_ca.pem > repo_cas.pem $ cat repo2_ca.pem >> repo_cas.pem $ cp repo_cas.pem /path-to-certs
$ pktool gencsr subject="C=US,CN=myuser" label=repo1_0001 format=pem \ outcsr=repo1_myuser.csr $ pktool signcsr signkey=repo1_ca csr=repo1_myuser.csr \ serial=0x02 outcert=repo1_myuser.crt.pem issuer="CN=repo1" $ pktool export objtype=key label=repo1_0001 outformat=pem \ outfile=repo1_myuser.key.pem $ cp repo1_myuser.key.pem /path-to-certs $ cp repo1_myuser.crt.pem /path-to-certs
$ pktool gencsr subject="C=US,CN=myuser" label=repo2_0001 format=pem \ outcsr=repo2_myuser.csr $ pktool signcsr signkey=repo2_ca csr=repo2_myuser.csr \ serial=0x02 outcert=repo2_myuser.crt.pem issuer="CN=repo2" $ pktool export objtype=key label=repo2_0001 outformat=pem \ outfile=repo2_myuser.key.pem $ cp repo2_myuser.key.pem /path-to-certs $ cp repo2_myuser.crt.pem /path-to-certs
Add the following SSL configuration at the end of your httpd.conf file:
# Let Apache listen on the standard HTTPS port Listen 443 <VirtualHost 0.0.0.0:443> # DNS domain name of the server ServerName pkg-sec.example.com # enable SSL SSLEngine On # Location of the server certificate and key. # You either have to get one from a certificate signing authority like # VeriSign or create your own CA for testing purposes (see "Creating a # Self-Signed CA for Testing Purposes") SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key # Intermediate CA certificate file. Required if your server certificate # is not signed by a top-level CA directly but an intermediate authority. # Comment out this section if you don't need one or if you are using a # test certificate SSLCertificateChainFile /path/to/ca_intermediate.pem # CA certs for client verification. # This is where the CA certificate created in step 3 needs to go. # If you have multiple CAs for multiple repos, just concatenate the # CA certificate files SSLCACertificateFile /path/to/certs/repo_cas.pem # If the client presents a certificate, verify it here. If it doesn't, # ignore. # This is required to be able to use client-certificate based and # anonymous SSL traffic on the same VirtualHost. SSLVerifyClient optional <Location /repo1> SSLVerifyDepth 1 SSLRequire ( %{SSL_CLIENT_I_DN_CN} =~ m/repo1/ ) # proxy request to depot running at internal.example.com:10001 ProxyPass http://internal.example.com:10001 nocanon max=500 </Location> <Location /repo2> SSLVerifyDepth 1 SSLRequire ( %{SSL_CLIENT_I_DN_CN} =~ m/repo2/ ) # proxy request to depot running at internal.example.com:10002 ProxyPass http://internal.example.com:10002 nocanon max=500 </Location> <Location /repo3> SSLVerifyDepth 1 SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" ) # proxy request to depot running at internal.example.com:10003 ProxyPass http://internal.example.com:10003 nocanon max=500 </Location> </VirtualHost>
$ pkg set-publisher -k /path-to-certs/repo1_myuser.key.pem \ -c /path-to-certs/repo1_myuser.crt.pem \ -p https://pkg-sec.example.com/repo1/
$ pkg set-publisher -k /path-to-certs/repo2_myuser.key.pem \ -c /path-to-certs/repo2_myuser.crt.pem \ -p https://pkg-sec.example.com/repo2/
Use the repo1 certificate to test access to repo3.
$ pkg set-publisher -k /path-to-certs/repo1_myuser.key.pem \ -c /path-to-certs/repo1_myuser.crt.pem \ -p https://pkg-sec.example.com/repo3/
Use the repo2 certificate to test access to repo3.
$ pkg set-publisher -k /path-to-certs/repo2_myuser.key.pem \ -c /path-to-certs/repo2_myuser.crt.pem \ -p https://pkg-sec.example.com/repo3/