The Setting up of the Virtuoso HTTPS Listener can be done by using the file system or using the Virtuoso conductor.

Note that when you want to change from Virtuoso hosted Cert and Public Key to File System and vice versa, first should be stopped the listener for either setup.

  1. X.509 certificate Generation

    The WebID Protocol consumer needs an x509 certificate with v3 extension "Subject Alternate Name". This attribute is used for the owner's Web ID. For testing purposes we used OpenSSL demo CA to generate such certificates. If you are not using the OpenSSL demo CA, you must first setup a self-signed CA; read OpenSSL documents on how to do this.

    1. Add the following line to the [usr_cert] section of the openssl.cnf file:

      subjectAltName=$ENV::ALTNAME
      
    2. Set the environment variable ALTNAME to the owner's Web ID, e.g.,

      export ALTNAME=URI:http://example.com/dataspace/person/myname#this
      
    3. Make a self-signed certificate, e.g.,

      $ CA.pl -newreq (follow the dialog)
      $ CA.pl -sign
      
    4. When asked to commit the certificate, make sure you see several lines above, like

      X509v3 Subject Alternative Name:
          URI:http://example.com/dataspace/person/myname#this
      
    5. If your browser wants a PKCS#12 bundle, you must make one

      $ openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out mycert.p12
      
    6. Rename newcert.pem and newkey.pem , to mycert.pem and mykey.pem for example.

  2. Move newcert.pem , newkey.pem , and cacert.pem into the server's working directory. In our test case, we put the keys in a ' keys ' sub-directory, and added the following lines to the [HTTPServer] section of the Virtuoso INI file, virtuoso.ini :

    SSLPort                     = 4443
    SSLCertificate              = ./keys/localhost.cert.pem
    SSLPrivateKey               = ./keys/localhost.key.pem
    X509ClientVerifyCAFile      = ./keys/localhost.ca.pem
    X509ClientVerify            = 1
    X509ClientVerifyDepth       = 15
    
  3. Also in the Virtuoso INI file, in the [URIQA] section, DefaultHost ( example.com:8890 below) must be edited to correspond to the DNS-resolvable host name ("CNAME") of the Virtuoso host, combined with the ServerPort as set in the [HTTPServer] section of the same INI file.

    [URIQA]
    DynamicLocal = 1
    DefaultHost  = example.com:8890
    

    For example, if the CNAME of the host is virtuoso.example.com , and the ServerPort is 4321 , the DefaultHost should be set to virtuoso.example.com:4321

    [URIQA]
    DynamicLocal = 1
    DefaultHost  = virtuoso.example.com:4321
    
  4. Start the Virtuoso server, and look at the log file. Once HTTPS is up, you should see something like:

    HTTPS Using X509 Client CA ....
    HTTPS/X509 server online at 4443
    
  5. Setting Up Firefox:

    1. In the Preferences dialog, open the Advanced tab, and click the "View certificates" button.

      Figure 14.3. HTTPS Listener

      HTTPS Listener

    2. Click the "Add exception" button ,and enter the address of the HTTPS server you've just configured, i.e. https://virtuoso.example.com:4443/

    3. Click OK, and confirm the exception.

      Figure 14.4. HTTPS Listener

      HTTPS Listener

    4. Click to the "Your Certificates" tab, and import mycert.p12 .

  1. Go to the http://cname:port/conductor URL, enter the DBA user credentials.

    Figure 14.5. HTTPS Listener

    HTTPS Listener

  2. Go to System Admin->Security

    Figure 14.6. HTTPS Listener

    HTTPS Listener

  3. Enter the Issuer details:

    Figure 14.7. HTTPS Listener

    HTTPS Listener

  4. Click Generate

    Figure 14.8. HTTPS Listener

    HTTPS Listener

  5. Click Configure HTTPS Listeners

    Figure 14.9. HTTPS Listener

    HTTPS Listener

  6. Edit the new listener, and click "Generate New" key.

    Figure 14.10. HTTPS Listener

    HTTPS Listener

  7. Click Save

    Figure 14.11. HTTPS Listener

    HTTPS Listener

  8. Setting Up Firefox:

    1. In the Preferences dialog, open the Advanced tab, and click the "View certificates" button.

    2. Click the "Add exception" button and enter the address of the HTTPS server you've just configured, i.e. https://virtuoso.example.com:443/

    3. Click OK, and confirm the exception.

      Figure 14.12. HTTPS Listener

      HTTPS Listener