How to do FTP over SSL using secure certificates in PEM format using PERL?
Can someone provide hints as to which modules to be used to achieve this and if possible some sample code.
Creating a Self-Signed CA Certificate
The first step in creating a Certificate Authority (apart from designing the management, administrative and legal framework) is to create a self-signed certificate for the Certificate Authority. This is done in SSLeay by running the req command (see Example 5 in the Appendix). This command produces a certificate file (CAcert.pem) and key file (CAkey.pem). The CA certificate and key files must remain in $SSLDIR/private, which is where SSLeay will look for them by default (as specified in the ssleay.cnf CA default section), both when acting as a certificate authority, and also when used by the server to implement SSL and validate client certificates signed by the CA.
Install the self-signed certificate in a browser so the browser will recognize server certificates signed by the Certificate Authority. Installing a CA certificate in a browser is somewhat dangerous, unless you trust that certificate and the security of the Certificate Authority. Once installed, the browser accepts any certificate signed by that authority.
To install the CA certificate, load it using HTTP Content-Type application/x-x509-ca-cert. To do this in a manner which does not depend on the server, use the cgi-script (Example 6 in the Appendix), or save the certificate in a file with a cacert suffix and define this suffix in the server configuration file to correspond to the application/x-x509-ca-cert MIME type. For the Apache server, for example, add the line AddType application/x-x509-ca-cert cacert to srm.conf. The certificate and key files must also remain available to SSLeay for the server to be able to use the public key, and the certificate authority to use the private key.
b. Creating a Server Certificate
A server certificate authenticates the server to the client. To make a server certificate, create a certificate request, sign it with the self-signed CA certificate, and then install the certificate as follows:
Use the "req" command to create a new certificate request with SSLeay (See Example 8 in the Appendix). This command creates files containing a certificate request and the private key.
Sign the request using the "ca" command (see Example 11 in the Appendix). This will produce a file containing the certificate.
Copy the certificate and key files to the server certificate directories.
cp newcert.pem $certdir/sitecert.pem
cp newkey.pem $certdir/sitekey.pem
Create hashes for the certificates in the server directory:
CD $certdir
ln -s sitecert.pem `$SSLDIR/bin/x509 -noout -hash < sitecert.pem`.0
Create the DER format server certificate file:
$SSLDIR/bin/x509 -in CAcert.pem -out CAcert.der -outform DER
Update the server configuration file to specify that this is the server certificate to use.
In order to easily find certificates, SSLeay uses hashes of the certificate subject names. Thus, when looking for the certificate of the issuer of a certificate, it looks for a file named with the hash value of the issuer name. The avoids opening files and examining certificates to find a match. The SSLeay x509 command may be used to manipulate certificates; one option is to create a hash of the subject name.
Once these steps have been completed, an SSL connection may be established if the server does not require client certificates.
b. Creating a Client Certificate
A client certificate is used to authenticate a client to a server. Creating and installing a client certificate is more difficult than creating a server certificate because the client must generate a key-pair, keep the private key to itself, and send the public key to the certificate authority to be incorporated into a certificate request. Once a signed certificate has been created using the Certificate Authority, this client certificate must be installed in the client so that the client may present it when needed.
Different clients such as Netscape Navigator 3.01 Gold and Microsoft Internet Explorer 3.02 support different mechanisms for creating client certificates. In this section, we demonstrate a technique for creating and installing a client certificate for each, using SSLeay certificate routines to sign certificate requests (Back up the Windows NT registry before creating client certificates with Internet Explorer).
The procedure for creating a client certificate involves HTML forms; these forms include client specific features such as special tags or JavaScript programs, and Perl CGI scripts that call SSLeay certificate handling applications. The procedures do not rely on special server features, other than the ability to run Perl CGI scripts. The examples completely automate the process, causing a client certificate to be installed once the request form is submitted. (In a production environment the Certificate Authority would need to perform validation instead of automatically issuing the certificate.)
The general steps for creating a client certificate are as follows:
User requests HTML page that displays form on client
User enters identification information
Submission of the form causes the following sequence to occur:
Browser generates a key pair (public and private key)
Private key is stored in browser
Public key is sent with identification information to the server
Server CGI script creates certificate and loads it into the client
The HTML form includes fields (containing defaults) for the different distinguished name attributes which are to be used in the client certificate, information allowing the browser to generate a key-pair, and a hidden field used to return this information to the CGI script. This hidden information is browser dependent.
In Netscape Navigator, the form contains an additional FORM tag, the <KEYGEN> tag. This tag creates a key pair, and causes the public key to be returned as a form value when the form is submitted (see Example 12 in the Appendix for source of a sample form). The <KEYGEN> tag causes the browser to display a choice of security grades, depending on the version of Navigator
Categories: Secure Certificates Tags:
Cheap Domain Names
A domain name is an Internet or web-based name that makes it easy for users to find your site. In reality, your domain name, or in other words your computer’s address, is a complex string of numbers that people would find difficult to remember and annoying to key in. Fortunately, the Domain Name System (DNS) allows computers to convert these numbers into letters and numbers that people find easier to understand and remember. Acquiring a domain name was once quite expensive, but cheap domain names are now readily available.
Domain names were expensive in the early days of the Internet, because they were available from only one organisation, Network Solutions, operating through an exclusive government contract. At one time, domain names cost ?100 or more. By 1998, however, the massive growth of the Internet led to the formation of the Internet Corporation for Assigned Names and Numbers (ICANN), a private sector, non-profit organisation formed by a combination of global Internet interests. With deregulation came cheap domain names, because one of ICANN’s main aims was the encouragement of greater competition in the domain registration industry. There are now many competitors and, depending on the provider, domain names are now priced at around ?5-?10 a year, a far cry from the expensive prices that formerly prevailed.
Even before the advent of cheap domain names, a domain name was considered essential for major businesses. Customers now expect businesses to have easily accessible websites. Without a domain name, a business website is less easy to find and has a less professional appearance. With the availability of cheap domain names providing even greater incentive to secure your own domain name, registration also gives you the benefits of having such information as your company’s name or product names made easy for prospective customers to find. This is because the domain name you register is associated with the computer you specify, allowing you to reach Internet users through your website.
When obtaining a domain name, your best option is to select an accredited registrar or obtain a recommendation for an existing provider. While domain name registering is quick and easy, you should take some time to shop around and consider the many choices available. As well as comparing the prices of cheap domain names, you should be careful to see what other advantages are on offer, such as customer service.
Cheap domain names can bring in a lot of business if they are chosen carefully. With thousands being registered daily, the choice of name may require a little thought to make sure it is as effective as possible. Try to create a name that has a number of qualities such as being easy to remember, attention getting, and relevant to the product or service you are providing. Don’t forget, too, that the inclusion of keywords has the potential to improve your site’s ranking in connection with the results returned by search engines.
If you want to register a domain name with a well-known ending such as .com or .net, as well as. aero, .biz, .com, .coop, .info, .museum, .name, .org or .pro, you can do so through one of the many competing registrars accredited by ICANN. You will need to provide the registrar of your choice with contact and technical information. The technical information will go to a central registry from where it will be provided to other computers so their users can locate your site or e-mail you. With the ease and speed of registration and the availability of cheap domain names, registering a domain is well worth the effort. Whether you are selling products or offering a service, or just want your name up there for some other reason, a domain name ensures that your information can reach as many people as possible.
Adrian Lawrence
http://www.articlesbase.com/internet-articles/cheap-domain-names-126995.html
Categories: Domain Names Tags:
What’s the best backup solution for our company?
We have about 50 employees, and about 100 total computers, including some enterprise level servers with large storage capacities. Most workstations are Windows based, most servers are Linux or BSD based. Our network is built on a stack of Cisco 10/100 switches. I would imagine the storage required for the backup would be between 500GB to 1000GB. I don’t imagine doing full backups daily, but at least every week. Are there standalone solutions that can be managed remotely? I would like something that I can plug into the network, without having to build a computer system to house it.
While you might like to not have to build a computer system in house, that is the best way to go for companies of your size. Especially if any of the data is mission critical and if you would lose profits and go out of business if the information on those computers was lost. What you need to look at is a terabyte system with tape or optical backup solutions that you can keep off site, preferably in a different state or regional location. Disasters happen and being unprepared isn’t permissible to most businesses. The type of backup you want to do depends on how much the information in your business changes and how critical it is. But typically in a business you want to setup a RAID 5 server with a differential backup setup that you can back up to tape or optical media. RAID 5 is fast and redundant (this is a good thing in backup systems). You can get backup systems from HP and other Manufacturers, and since your a business thats the best way to go typically unless you have an inhouse IT person that knows what they are doing. If you need anything else let me know.
JC.
Categories: Backup Solutions Tags: