Skip to content

Instantly share code, notes, and snippets.

@GrahamDumpleton
Last active January 10, 2020 22:05
Show Gist options
  • Save GrahamDumpleton/b79d336569054882679e to your computer and use it in GitHub Desktop.
Save GrahamDumpleton/b79d336569054882679e to your computer and use it in GitHub Desktop.
Running HTTPS and client authentication with mod_wsgi-express.

Note that for client authentication the very latest mod_wsgi-express version is required.

For now this means installing from from the git repo. To install run:

pip install -U https://github.com/GrahamDumpleton/mod_wsgi/archive/develop.zip

To create a self signed server certificate so that can run HTTPS use:

# Step 1: Generate a Private Key
openssl genrsa -des3 -out server.key 1024

# Step 2: Generate a CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr

# Step 3: Remove Passphrase from Key
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

# Step 4: Generating a Self-Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

To create a client certification for client authentication use:

# Step 1: Create the CA Key and Certificate for signing Client Certs.
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Step 2: Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr

# Step 3: Sign the client certificate with our CA cert.  Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Then run mod_wsgi-express as:

mod_wsgi-express start-server --log-to-terminal --startup-log --https-port 8443 --https-only --server-name ssl.example.com --ssl-certificate-file ssl-certs/server.crt --ssl-certificate-key-file ssl-certs/server.key --ssl-ca-certificate-file ssl-certs/ca.crt

Set --server-name to the actual FQDN used in the server certificate.

One can use curl against the site as:

curl --insecure --cert client.crt --key client.key https://ssl.example.com:8443
@GrahamDumpleton
Copy link
Author

If you have questions about mod_wsgi, use the mailing list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment