Certificate Authority Documentation

This page contains installation and usage instructions for hosting your very own certificate authority on a Windows Apache server. A certificate authority can be used to manage user authentication to some service or website in place of passwords.

Installation

Make sure you are running Windows 98 or later.
Install the following software packages in your root directory if you don't already have them:
- The OpenSA web server (built on top of Apache). Or, if you prefer, you can use Apache 1.3 installed with the mod_ssl module. All instructions on this page will reference the OpenSA setup, however.
  - Open up the C:/OpenSA/Apache/conf/httpd file. Change the ServerName and ServerAdmin directives to your own server name and admin name. Change HostNameLookups from 'off' to 'on'.
- ActivePerl for Windows.
- Cygwin
- The Blat program for SMTP mailing.
  - Copy the blat executable into C:/OpenSA/Apache/bin.
Download and unzip the ca files.
- Overwrite C:/OpenSA/Apache/cgi-bin with the unzipped cgi-bin folder from ca_files.
- Copy the ssl.ca-0.1 folder from ca_files into C:/OpenSA/Apache/conf.
- Overwrite C:/OpenSA/Apache/htdocs/index.html with the supplied index.html file.
In C:/OpenSA/Apache/htdocs/index.html, overwrite "your site here" with the web address of your service.
Do the same in C:/OpenSA/Apache/cgi-bin/loadCert.pl.
For each file in C:/OpenSA/Apache/cgi-bin, replace all instances of 'www.domain.edu' with your server's domain name.
Follow steps 1-3 under 'Example Usage' in the C:/OpenSA/Apache/conf/ssl.ca-0.1/README file. You can run the scripts from Cygwin. Make sure to remember the PEM passphrase you choose when you create the new root CA.
Open up the C:/OpenSA/Apache/conf/ssl.ca-0.1/sign-user-certs.sh file and replace all instances of 'password' with the PEM passphrase you chose when creating the root CA.
Start your server by selecting 'Programs->OpenSA web server->Management->Start Apache with SSL' from the Start menu. If you ever need to stop the server, you can select 'Stop server' from this same menu.

Usage

The idea behind the certificate authority is that a user must come to an initial site to request a certificate that is then stored in his or her browser. Once the user has a certificate, he or she may proceed directly to your service. The index.html file included in ca_files reflects this intended behavior.

When a new user wishes to use your site, he or she should select the option to make a new certificate request from the home page. The user will be prompted for a name, email, and organizational unit to be used in the certificate generation. Once the certificate has been generated, an email is sent to the user in order to confirm that the user actually made the request. The e-mail contains a hyperlink that installs the new certificate in the user's browser. Thereafter, when the user visits your site, his or her browser will present the certificate as a means of authentication.

Note: The first time a user requests a certificate, she may be prompted by her browser because it does not recognize your new root certificate authority. Users should elect to trust your root CA if they wish to use your service.