- #MERCURIAL WINDOWS AUTHENTICATION IIS HOW TO#
- #MERCURIAL WINDOWS AUTHENTICATION IIS INSTALL#
- #MERCURIAL WINDOWS AUTHENTICATION IIS UPGRADE#
- #MERCURIAL WINDOWS AUTHENTICATION IIS FULL#
Generate request for signing: openssl req -new -nodes -out name-req.pem -keyout name.key -subj '/CN= name'
#MERCURIAL WINDOWS AUTHENTICATION IIS INSTALL#
Also, if you do not want to get scary pop-ups with invalid certificate trust models in your browser when you browse the hg repositories through hgweb, you will need to install ca.pem into the trusted root certificate authorities in your browsers. You will need both of these to issue other certificates. This gives us a certificate authority certificate with a private key stored in ca.key and the public certificate in ca.pem. The ‘M圜A’ part specifies the name of your certificate authority, so you will probably want to name it something a bit more descriptive. Note that Microsoft's IIS is a tad weird in how exactly it requires the certificate to be constructed, so we will not cover this for OpenSSL, but only for makecert.exe (inquiring minds can figure out all the details of generating certificate requests and processing these in OpenSSL if they prefer).Ĭertificate authority: openssl req -x509 -nodes -days 365 -subj '/CN=M圜A' -newkey rsa:1024 -keyout ca.key -out ca.pem There are plenty of different tutorials on this topic already. Lest this post be turned into a really boring tutorial on certificates, I will just give a few very cursory examples of how you can generate the different certificates. Like everything else in the X.509 certificate landscape, OpenSSL has a lot of options, switches and strange voodoo attached to it. So if you access your server as ‘ hg.my.rver’, your server certificate's CN must be ‘hg.my.rver’. This is the name of the certificate holder, e.g. The only important part for our purposes is the CN (Common Name). You may hear terms thrown around such as OU (Organisational Units) and whatnot. Now, there are a lot of weird details in these certificates.
#MERCURIAL WINDOWS AUTHENTICATION IIS FULL#
Normal certificates: A normal certificate is just a certificate that has been signed by a certificate authority (or in reality a certificate authority or an intermediate certificate-you can have a full chain of certificates signing each other if needed). If you trust this certificate's public key, you will also trust any certificate that has been issued by this certificate authority.
#MERCURIAL WINDOWS AUTHENTICATION IIS HOW TO#
Below I will cover how to use each of these to set up everything, but before we delve into the details, we will look very briefly at what a certificate authority certificate is, and what ‘normal’ certificates are.Ĭertificate authority: A certificate authority is basically just a certificate that has signed itself.
In order to become your own certificate authority and certificate issuer, you need one of two tools: OpenSSL or makecert.exe, the latter only being available on Windows (there are probably countless other tools as well, to be fair, but I do not cover them here). you know who your clients are, they know who you are, there is no reason to give out money to some third-party certificate authority, you can accomplish everything you need to on your own. As long as you control the ecosystem of your environment, e.g. This certificate authority can then issue server certificates (that represent a server's identity), and client certificates (that represent a client's identity). that are trusted by a lot of people, can be seen in your browser's certificate settings-however, a certificate authority can be anybody you trust, e.g. In reality, the actual public/private key pair is only used to compute a shared secret, and this is the secret used to communicate securely for the remainder of the conversation.Ī X.509 certificate is issued by a certificate authority-some of the commonly known certificate authorities, i.e. You can encrypt data to the intended recipient using this key and only with the corresponding private key can this information be decrypted. The public key is the one that secure websites present to you when you, for instance, visit Gmail. At some level, one can think of a X.509 certificate as having a public and a private key. The most commonly known aspect of X.509 are the certificates.
#MERCURIAL WINDOWS AUTHENTICATION IIS UPGRADE#
This guide is written at the existence of Mercurial version 1.5.1 and touches on many newer features, so if your distribution is old or lacks these features, perhaps it's time to upgrade to the latest and greatest.
This means that in order to use X.509 certificates with Mercurial, one needs to place a web server that knows of these authentication mechanisms in front of it. As one of the primary developers touching certificates in the Mercurial world, I am often asked how they work, what people need to do to use them and how they can work well with Mercurial.Ī principal thing to remember here is that Mercurial will not work as a complete server out of the box, requesting authentication information, in the form of basic, digest, or certificates, at all.
0 kommentar(er)
