Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Certificate provisioning for apache webservers

Created: 08 Apr 2011
Andreas Zengel's picture

This is a script, written in Ruby that will automatically provision apache webservers with the required certificates.

It is able to detect if the web server is running multiple virtual hosts and it will request a certificate for every web site that has SSL enabled. It will also check on every run, if the certificates are about to expire and if this is the case, it will automatically renew the certificates and will update the apache configuration
PGP Command Line Version required (min): 10.0.0
PGP Universal Server Version required (min): 3.0.0
Script language: Ruby
Developed for platform: Linux
Platforms the script will work on: Linux, Unix, Windows

* A reachable Universal server
* An SSL-enabled Apache installation, on linux.
  - Working configuration files for apache, with at least one SSL
    host. Multiple SSL hosts are recommended, on separate IP
* A licensed PGP Command Line on the same machine as the apache server.
* Copy the script cert_provision.rb to the target linux box.
* Edit the "config" section at the top of the script to match the IP
  or hostname of the KMS server, where to find the httpd.conf file(s),
* Run an authenticated PGP Command Line KMS command and tell it to
  cache the authentication cookie. E.g.,:
  pgp --usp-server --usp-search-mak 'NOT(EQ(NAME,""))' --brief \
       --usp-cache-auth --auth-username usp-user --auth-passphrase passphrase
  The script assumes an authentication cookie exists. If it does not,
  it will fail with permission errors. Also note that the USP server string
  given on this command has to match the one in the config file; it is
  not sufficient that they resolve to the same machine. 

* For testing recognition of a valid existing configuration, just run
  the script (as root) on the existing config. If the cert/key are
  valid, they should be recognized (and assuming verbose mode, it will
  be displayed).
* For testing missing keys or certs, remove either a key or a cert (or
  both) from one of the configured hosts. Run the script. A new cert
  and key should be configured and put in place.
* For testing expired certs, place an expired cert in the right place
  for that host. Run the script, and make sure the certificate gets
* Any time a cert is issued, the httpd process will be restarted, so
  the virtual host should come up, and should be working, as soon as
  the script finishes.