I'm once again playing with making websites that authenticate based on Thawte freemail certs. First, after getting my cert loaded into Firefox, under Tools - Advanced - View Certificates, I backed it up. Then using openssl, I converted it to a PEM-format file:

$ openssl pkcs12 -in jcomeau.p12 -out jcomeau_chain.pem

Then I edited the file, got rid of the private key at the top, leaving only the two Thawte certs, and renamed it thawte_chain.pem. I copied it to the server. Here is the relevant part of Unternet.net's config:

SSLEngine On SSLCertificateFile /home/jcomeau/unternet.crt SSLCertificateKeyFile /home/jcomeau/unternet.key SSLVerifyClient require SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars SSLCACertificateFile /home/jcomeau/thawte_chain.pem SSLVerifyDepth 2

And here are the SSI directives that generate the headline:

<H1>Welcome to the UnterNet,
<!--#if expr="${SSL_CLIENT_S_DN_CN} = /.+/" -->
<!--#echo var="SSL_CLIENT_S_DN_CN" -->
<!--#elif expr="${SSL_CLIENT_S_DN_EMAIL} = /.+/" -->
<!--#echo var="SSL_CLIENT_S_DN_EMAIL" -->
<!--#else --> my friend<!--#endif -->!</H1>

I've still got more work to do if I want it to actually encrypt traffic, namely, set up the user database and add the necessary directives to the configuration. I'd like to convince lots of people to set up their servers this way, so I wouldn't have to remember so many different passwords... I could just use my cert to authenticate. If I wanted to use this method from a public computer I heard you can install Firefox on a memory stick. I'd have to investigate that some more.

If you have a Thawte freemail cert installed in your browser, you can test it at https://www.unternet.net/. If the cert has been notarized by the Thawte Web of Trust, you should see your full name in the Welcome line. If it's just a non-notarized cert, you should see your email address. If the cert isn't recognized, you'll either get an authentication error or see "my friend" rather than any unique identifier.

Back to blog or home page

last updated 2013-01-10 20:47:32. served from tektonic.jcomeau.com