New Apache modules allows web hosts to use file-based SSL certificate validation w/o using files

This post will give our reader a brief overview in our work in the Hosting & CDN environment. It will outline how SSL/TLS automation can be implemented secure, is cost-neutral, and compliant to small and medium hosts:

But let me give you a quick refresher:

If a web host is ordering a SSL Certificate with domain validation, he has the possibility to choose from different validation methods.

Method Description Pros Cons
File The Certificate Authority will check the contents of a specific file on your customer’s webspace.
Name and content will be given to you by the Certification Authority. The web server’s fully qualified domain name is usually corresponding to the common name that is going to be secured by the certificate.
  • Sending an e-mail (to the end-customer) can be dispensed.
  • The DNS zone must not be checked.
  • There is no need for the hoster to be the manager of the domain’s DNS zone.
  • A file needs to be created on customer’s webspace.
  • The customer could remove the file before the validation was carried out.
  • Your ordering routine might need write access in order to create the file on the webspace.
  • Generated files are often forgotten and create more work for your support team.
DNS The Certificate Authority will check the existence of the CNAME entry and its value.
  • Sending an e-mail (to the end-customer) can be dispensed.
  • No files needs to be created on the customer’s webspace.
  • The hoster needs to be the manager of the domain’s DNS zone.
  • DNS entries are often deployed with a huge delay.
  • Controlling the the DNS zones is often complex.
  • Set entries are often forgotten and might confuse customers.
Email The Certificate Authority sends an e-mail to a specific address and the contact needs to approve the the order.
  • There is no need to create a File on the webspace of the customer.
  • There is no need to access the DNS-Infrastructure.
  • There is no need for the Hoster to be a DNS Administrator.
  • The customer receives an e-mail and needs to confirm the the Certificate request.
  • No e-mail address accepted by the CA can be received by the Customer.
  • No real automation is possible.

 

Depending on the environment and scope, web hosts usually prefer validation of new SSL/TLS Certificates by DNS or file, although the validation via DNS is for a simple reason: the security and the need for compliance will not allow them to have direct write access to the customer’s webspace. With the Apache module mod_fauth, web hosts can now rely on file authentication w/o paying attention to all files used during a proper validation process. This is currently in place for Domain-Validated certificates from Thawte, GeoTrust, RapidSSL, GlobalSign, AlphaSSL and AlwaysOnSSL (Symantec Secure Site Starter).

How does it work?

Of course, mod_fauth doesn’t change the way CAs validate the control of a domain. A file-based validation will always remain a file-based validation. The module uses pattern matching and will be triggered only if a relevant request comes in. In most cases, a relevant request means that Apache did not find a corresponding file (=status 404) and the requested file name makes sense to the module. After the module has been triggered, it will ask the web service (or the key-value-store behind the web service) if there is a proper hash stored. If so, the module replaces the status 404 with status 200, and then delivers the hash to the client. If no content has been found, the module will lead through the original 404 status and “Not Found” content.

Communication with the key-value data store

The module takes care of the communication between the integrated key-value data store and requesting clients. But of course, the data needs to be written before it can be delivered. This data is exactly the information that was provided by the CertCenter API after submitting the order:

Which data needs to be stored?

The CertCenter API (REST/SOAP) provides the data to each order file-based validation. Example:

$FileAuthDVDetails = Array(
 'FileContents' => 'IweLMqVQjE657chnAy7R',
 'FileName' => 'xx3cqlz8.htm'
);

How to put the data into the data store?

The data provided by the API must now be stored in the key-value data store. We’re using a simple web service to get this done. The following PHP example shows how it works:

$curl = curl_init("https://fauth-db.eu.certcenter.com/{$FileAuthDVDetails->FileName}");
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, Array("x-api-key: YOUR-API-KEY","Content-type: application/json"));
curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode(Array("hash"=>$FileAuthDVDetails->FileContents)));
$r = json_decode(curl_exec($curl));
if($r->message=='success') {
  echo 'Done writing!';
} else {
  echo 'Error occurred while writing to key-value storage!';
}
Note: In this example $FileAuthDVDetails->FileName is the key and $FileAuthDVDetails->FileContents is the value. However, for GlobalSign products as well as AlwaysOnSSL (Symantec Encryption Everywhere) certificates, you have to use the servers host name (Common Name) as the key. To do this, use https://fauth-db.eu.certcenter.com/www.your-domain.tld to put your hash to the key-value storage.

How to get the data removed from the database?

The Garbage-Collector is going to take care of this automatically and will remove old files and data. As a CertCenter Partner you don’t need to worry about it.

Compatibility

The module was developed for the usage on Apache 2.x by us, and can be used in all possible environments, whether it’s used in conjunction with PLESK, cPanel, or other hosting environments. The module has no special requirements, only OpenSSL (for secure connection on the Web), gcc, and the Apache Webserver.

Download and use

The Apache module can be downloaded here and is available under the MIT license. To use the module with key-value database provided by CertCenter, you need an API-Key. You will receive your API-Key from our Support Team. Of course you can also integrate your own web service and pass on the offer to use the free key-value storage. However, you can also use the module even if you are not a CertCenter partner.

admin