* This update makes configuring SSL a little easier on Windows XP. It also makes it possible to run a HTTPS server on the region. It also has a junk Certification authority for test purposes.

* There are still a lot of things that are hard coded to use http.   They need to be fixed.
* Also includes directions
* A standard junk PEM file to append to app_settings/CA.pem in the client so SSL will work

11 files changed, 373 insertions, 7 deletions

diff --git a/OpenSim/Framework/NetworkServersInfo.cs b/OpenSim/Framework/NetworkServersInfo.cs
index 43ec11e..9f3014d 100644
--- a/OpenSim/Framework/NetworkServersInfo.cs
+++ b/OpenSim/Framework/NetworkServersInfo.cs
@@ -49,6 +49,9 @@ namespace OpenSim.Framework
         public string UserRecvKey = String.Empty;
         public string UserSendKey = String.Empty;
         public string UserURL = String.Empty;
+        public bool HttpUsesSSL = false;
+        public string HttpSSLCN = "";
+        public uint httpSSLPort = 9001;
 
 
         public NetworkServersInfo()
@@ -78,6 +81,10 @@ namespace OpenSim.Framework
 
             HttpListenerPort =
                 (uint) config.Configs["Network"].GetInt("http_listener_port", (int) DefaultHttpListenerPort);
+            httpSSLPort =
+                (uint)config.Configs["Network"].GetInt("http_listener_sslport", ((int)DefaultHttpListenerPort+1));
+            HttpUsesSSL = config.Configs["Network"].GetBoolean("http_listener_ssl", false);
+            HttpSSLCN = config.Configs["Network"].GetString("http_listener_cn", "");
             RemotingListenerPort =
                 (uint) config.Configs["Network"].GetInt("remoting_listener_port", (int) RemotingListenerPort);
             GridURL =
diff --git a/OpenSim/Framework/Servers/BaseHttpServer.cs b/OpenSim/Framework/Servers/BaseHttpServer.cs
index 181eb92..6cf6744 100644
--- a/OpenSim/Framework/Servers/BaseHttpServer.cs
+++ b/OpenSim/Framework/Servers/BaseHttpServer.cs
@@ -26,12 +26,14 @@
  */
 
 using System;
+using System.Diagnostics;
 using System.Collections;
 using System.Collections.Generic;
 using System.IO;
 using System.Net;
 using System.Net.Sockets;
 using System.Reflection;
+using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Threading;
 using System.Xml;
@@ -39,6 +41,7 @@ using OpenMetaverse.StructuredData;
 using log4net;
 using Nwc.XmlRpc;
 
+
 namespace OpenSim.Framework.Servers
 {
     public class BaseHttpServer
@@ -55,9 +58,14 @@ namespace OpenSim.Framework.Servers
         protected Dictionary<string, IHttpAgentHandler> m_agentHandlers = new Dictionary<string, IHttpAgentHandler>();
 
         protected uint m_port;
+        protected uint m_sslport;
         protected bool m_ssl = false;
         protected bool m_firstcaps = true;
 
+        public uint SSLPort
+        {
+            get { return m_sslport; }
+        }
         public uint Port
         {
             get { return m_port; }
@@ -72,8 +80,124 @@ namespace OpenSim.Framework.Servers
         {
             m_ssl = ssl;
             m_port = port;
+            
+        }
+
+        public BaseHttpServer(uint port, bool ssl, uint sslport, string CN)
+        {
+            m_ssl = ssl;
+            m_port = port;
+            if (m_ssl)
+            {
+                bool result = SetupSsl((int)sslport, CN);
+                m_sslport = sslport;
+            }
+        }
+
+        
+        
+        public bool SetupSsl(int port, string CN)
+        {
+            string searchCN = Environment.MachineName.ToUpper();
+            
+            if (CN.Length > 0)
+                searchCN = CN.ToUpper();
+
+            Type t = Type.GetType("Mono.Runtime");
+            if (t != null)
+            {
+                // TODO Mono User Friendly HTTPS setup
+                // if this doesn't exist, then mono people can still manually use httpcfg
+            }
+            else
+            {
+                // Windows.
+                // Search through the store for a certificate with a Common name specified in OpenSim.ini.
+                // We need to find it's hash so we can pass it to httpcfg
+                X509Store store = new X509Store(StoreLocation.LocalMachine);
+                //Use the first cert to configure Ssl
+                store.Open(OpenFlags.ReadOnly);
+                //Assumption is we have certs. If not then this call will fail :(
+                try
+                {
+                    bool found = false;
+                    //X509Certificate2.CreateFromCertFile("testCert.cer");
+
+                    foreach (X509Certificate2 cert in store.Certificates)
+                    {
+                        String certHash = cert.GetCertHashString();
+                        //Only install certs issued for the machine and has the name as the machine name
+                        if (cert.Subject.ToUpper().IndexOf(searchCN) >= 0)
+                        {
+                            string httpcfgparams = String.Format("set ssl -i 0.0.0.0:{1} -c \"MY\" -h {0}", certHash, port);
+                            try
+                            {
+                                found = true;
+
+                                ExecuteHttpcfgCommand(httpcfgparams);
+ 
+                                break;
+                            }
+                            catch (Exception e)
+                            {
+                                m_log.WarnFormat("[HTTPS]: Automatic HTTPS setup failed.  Do you have httpcfg.exe in your path?  If not, you can download it in the windowsXP Service Pack 2 Support Tools, here: http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en.  When you get it installed type, httpcfg {0}", httpcfgparams);
+                                return false;
+                            }
+                        }
+                    }
+
+                    if (!found)
+                    {
+                        m_log.WarnFormat("[HTTPS]: We didn't find a certificate that matched the common name {0}.  Automatic HTTPS setup failed, you may have certificate errors.  To fix this, make sure you generate a certificate request(CSR) using OpenSSL or the IIS snap-in with the common name you specified in opensim.ini. Then get it signed by a certification authority or sign it yourself with OpenSSL and the junkCA.  Finally, be sure to import the cert to the 'MY' store(StoreLocation.LocalMachine)", searchCN);
+                        return false;
+                    }
+
+                }
+                catch (Exception e)
+                {
+                    m_log.WarnFormat("[HTTPS]: We didn't any certificates in your LocalMachine certificate store.  Automatic HTTPS setup failed, you may have certificate errors.  To fix this, make sure you generate a certificate request(CSR) using OpenSSL or the IIS snap-inwith the common name you specified in opensim.ini. Then get it signed by a certification authority or sign it yourself with OpenSSL and the junkCA.  Finally, be sure to import the cert to the 'MY' store(StoreLocation.LocalMachine). The configured common name is {0}", searchCN);
+                    return false;
+                }
+                finally
+                {
+                    if (store != null)
+                    {
+                        store.Close();
+                    }
+                }
+            }
+            return true;
         }
 
+        private void ExecuteHttpcfgCommand(string p)
+        {
+            
+            string file = "httpcfg";
+
+            ProcessStartInfo info = new ProcessStartInfo(file, p);
+            // Redirect output so we can read it.
+            info.RedirectStandardOutput = true;
+            // To redirect, we must not use shell execute.
+            info.UseShellExecute = false;
+
+            // Create and execute the process.
+            Process httpcfgprocess = Process.Start(info);
+            httpcfgprocess.Start();
+            string result = httpcfgprocess.StandardOutput.ReadToEnd();
+            if (result.Contains("HttpSetServiceConfiguration completed with"))
+            {
+                //success
+            
+            }
+            else
+            {
+                //fail
+                m_log.WarnFormat("[HTTPS]:Error binding certificate with the requested port.  Message:{0}", result);
+            }
+            
+        }
+
+
         /// <summary>
         /// Add a stream handler to the http server.  If the handler already exists, then nothing happens.
         /// </summary>
@@ -907,7 +1031,8 @@ namespace OpenSim.Framework.Servers
                 }
                 else
                 {
-                    m_httpListener.Prefixes.Add("https://+:" + m_port + "/");
+                    m_httpListener.Prefixes.Add("https://+:" + (m_sslport) + "/");
+                    m_httpListener.Prefixes.Add("http://+:" + m_port + "/");
                 }
                 m_httpListener.Start();
 
@@ -921,7 +1046,7 @@ namespace OpenSim.Framework.Servers
             catch (Exception e)
             {
                 m_log.Warn("[HTTPD]: Error - " + e.Message);
-                m_log.Warn("Tip: Do you have permission to listen on port " + m_port + "?");
+                m_log.Warn("Tip: Do you have permission to listen on port " + m_port + "," + m_sslport + "?");
             }
         }
 
diff --git a/OpenSim/Region/ClientStack/RegionApplicationBase.cs b/OpenSim/Region/ClientStack/RegionApplicationBase.cs
index 8bb35c1..469c084 100644
--- a/OpenSim/Region/ClientStack/RegionApplicationBase.cs
+++ b/OpenSim/Region/ClientStack/RegionApplicationBase.cs
@@ -81,7 +81,12 @@ namespace OpenSim.Region.ClientStack
 
             Initialize();
 
-            m_httpServer = new BaseHttpServer(m_httpServerPort);
+            m_httpServer = new BaseHttpServer(m_httpServerPort,m_networkServersInfo.HttpUsesSSL,m_networkServersInfo.httpSSLPort, m_networkServersInfo.HttpSSLCN);
+            if (m_networkServersInfo.HttpUsesSSL && (m_networkServersInfo.HttpListenerPort == m_networkServersInfo.httpSSLPort))
+            {
+                m_log.Error("[HTTP]: HTTP Server config failed.   HTTP Server and HTTPS server must be on different ports");
+            }
+
 
             m_log.Info("[REGION]: Starting HTTP server");
 
diff --git a/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs b/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs
index 6e37b95..68f35e8 100644
--- a/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs
+++ b/OpenSim/Region/Environment/Modules/InterGrid/OpenGridProtocolModule.cs
@@ -86,6 +86,9 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
         private Dictionary<UUID, OGPState> m_OGPState = new Dictionary<UUID, OGPState>();
         private string LastNameSuffix = "_EXTERNAL";
         private string FirstNamePrefix = "";
+        private string httpsCN = "";
+        private bool httpSSL = false;
+        private uint httpsslport = 0;
 
         #region IRegionModule Members
 
@@ -93,6 +96,7 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
         {
             bool enabled = false;
             IConfig cfg = null;
+            IConfig httpcfg = null;
             try
             {
                 cfg = config.Configs["OpenGridProtocol"];
@@ -100,6 +104,16 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
             {
                 enabled = false;
             }
+
+            try
+            {
+                httpcfg = config.Configs["Network"];
+            }
+            catch (NullReferenceException)
+            {
+               
+            }
+
             if (cfg != null)
             {
                 enabled = cfg.GetBoolean("ogp_enabled", false);
@@ -139,6 +153,20 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
                     }
                 }
             }
+            lock (m_scene)
+            {
+                if (m_scene.Count == 1)
+                {
+                    if (httpcfg != null)
+                    {
+                        httpSSL = httpcfg.GetBoolean("http_listener_ssl", false);
+                        httpsCN = httpcfg.GetString("http_listener_cn", scene.RegionInfo.ExternalHostName);
+                        if (httpsCN.Length == 0)
+                            httpsCN = scene.RegionInfo.ExternalHostName;
+                        httpsslport = (uint)httpcfg.GetInt("http_listener_sslport",((int)scene.RegionInfo.HttpPort + 1));
+                    }
+                }
+            }
             // Of interest to this module potentially
             //scene.EventManager.OnNewClient += OnNewClient;
             //scene.EventManager.OnGridInstantMessageToFriendsModule += OnGridInstantMessage;
@@ -371,14 +399,35 @@ namespace OpenSim.Region.Environment.Modules.InterGrid
             // Get a reference to the user's cap so we can pull out the Caps Object Path
             OpenSim.Framework.Communications.Capabilities.Caps userCap = homeScene.GetCapsHandlerForUser(agentData.AgentID);
 
+            string rezHttpProtocol = "http://";
+            string regionCapsHttpProtocol = "http://";
+            string httpaddr = reg.ExternalHostName;
+            string urlport = reg.HttpPort.ToString();
+
+
+            if (httpSSL)
+            {
+                rezHttpProtocol = "https://";
+
+                urlport = httpsslport.ToString();
+
+                if (httpsCN.Length > 0)
+                    httpaddr = httpsCN;
+            }
+            
+
+            // Be warned that the two following lines assume http not 
+            // https since region caps are not implemented in https currently
+
             // DEPRECIATED
-            responseMap["seed_capability"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/");
+            responseMap["seed_capability"] = LLSD.FromString(regionCapsHttpProtocol + httpaddr + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/");
             
             // REPLACEMENT
-            responseMap["region_seed_capability"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/");
+            responseMap["region_seed_capability"] = LLSD.FromString(regionCapsHttpProtocol + httpaddr + ":" + reg.HttpPort + "/CAPS/" + userCap.CapsObjectPath + "0000/");
+
             
-            responseMap["rez_avatar/rez"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + rezAvatarPath);
-            responseMap["rez_avatar/derez"] = LLSD.FromString("http://" + reg.ExternalHostName + ":" + reg.HttpPort + derezAvatarPath);
+            responseMap["rez_avatar/rez"] = LLSD.FromString(rezHttpProtocol + httpaddr + ":" + urlport + rezAvatarPath);
+            responseMap["rez_avatar/derez"] = LLSD.FromString(rezHttpProtocol + httpaddr + ":" + urlport + derezAvatarPath);
 
             // Add the user to the list of CAPS that are outstanding.
             // well allow the caps hosts in this dictionary
diff --git a/bin/OpenSim.ini.example b/bin/OpenSim.ini.example
index 28a32cf..eda5813 100644
--- a/bin/OpenSim.ini.example
+++ b/bin/OpenSim.ini.example
@@ -169,6 +169,15 @@ dump_assets_to_file = false
 http_listener_port = 9000
 remoting_listener_port = 8895
 
+; ssl config: Experimental!  The auto https config only really works definately on windows XP now
+; you need a Cert Request/Signed pair installed in the MY store with the CN specified below
+; you can use https on other platforms, but you'll need to configure the httpapi yourself for now
+http_listener_ssl = false ; Also create a SSL server
+http_listener_cn = "localhost" ; Use the cert with the common name
+http_listener_sslport = 9001 ; Use this port for SSL connections
+http_listener_ssl_cert = "" ; Currently unused, but will be used for OSHttpServer
+
+
 ; Uncomment below to enable llRemoteData/remote channels
 ; remoteDataPort = 20800
 
diff --git a/share/junkCA/CA.crt b/share/junkCA/CA.crt
new file mode 100644
index 0000000..8e2f099
--- /dev/null
+++ b/share/junkCA/CA.crt
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFJzCCBA+gAwIBAgIJAK3s6O4dAEQSMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
+VQQGEwJVUzEUMBIGA1UECBMLTXVsdGktc3RhdGUxEzARBgNVBAcTCm11bHRpLWNp
+dHkxJTAjBgNVBAoTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQgVFJVU1QxEzARBgNV
+BAsTCkRPTlQgVFJVU1QxJTAjBgNVBAMTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQg
+VFJVU1QxIDAeBgkqhkiG9w0BCQEWEXRlcmF2dXNAZ21haWwuY29tMB4XDTA4MDkx
+MjE2MTEwNVoXDTE4MDgxMTE2MTEwNVowgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQI
+EwtNdWx0aS1zdGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3Bl
+blNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDEl
+MCMGA1UEAxMcT3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3
+DQEJARYRdGVyYXZ1c0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCwpTIw01Y6Lg7INnmDp9KHLC1p0Udg4Y9Ux232zd2tOTpjF7QnlHIO
+GKg8jE6SiaV4NPC9nRqgVCOMa6H7crbr/IrXcTUq0ZYyIG07ZkbUb+4aNNJLh/vq
+xHj0kXfRKGxq1QzjmNO7kfCzR4vQudI4F/Hw6HL2vIqRI3sNepn+j3VKCILyTLQP
+b0mJi6EfRizqLtIgQwaaMN3AgZWF8rAANNLerzkYLM7+uT5sQYX/sGPi16x/NgFr
+UfCI6Ag2Sbufj8VOOp08kDwVZNq7Vr44y+l1gJySPnLMbBrTb/erc+UJv4xgVsRI
+opMKP/DG+z3eRbxKcPZ0hpPWJS4JhG0bAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
+u0ZSqD+MrxiuSy0IsX5Iye8lHZswgfIGA1UdIwSB6jCB54AUu0ZSqD+MrxiuSy0I
+sX5Iye8lHZuhgcOkgcAwgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtNdWx0aS1z
+dGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3BlblNpbXVsYXRv
+ciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDElMCMGA1UEAxMc
+T3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3DQEJARYRdGVy
+YXZ1c0BnbWFpbC5jb22CCQCt7OjuHQBEEjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
+DQEBBQUAA4IBAQAaI69OZmjTVcZxtWLASB9nv3WNEOxJW+aBjseUhyM4H9pJ5bkh
+MmgiG9JgnBUpNzL3/1EV2Ud8ZCBy7JxhvwWnJMjxJL67US16sKpCLVvNAD2pCZ6f
+iaT/qorLYP/yJ7OieYmAh5lZsvG8xJM44ZZyvtYEVBB+qZw1gHkb4hhf3roUCV67
+aHMDRRolWyWm6weid7wTWz38QfRohVWidH9CPwubG7K4zPrDpBJAZV1cKra1YTrM
+eje1GuIyHzpIAAYP5z1hgI9p/0oTrWnG7w7Ydkpm9lu50WMt1DScsYnh0MhW/uas
+e24cQsvz0m9PZlfAsJQeX6pbqlJppoX+XeVC
+-----END CERTIFICATE-----
diff --git a/share/junkCA/CA.key b/share/junkCA/CA.key
new file mode 100644
index 0000000..59a7a5e
--- /dev/null
+++ b/share/junkCA/CA.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAsKUyMNNWOi4OyDZ5g6fShywtadFHYOGPVMdt9s3drTk6Yxe0
+J5RyDhioPIxOkomleDTwvZ0aoFQjjGuh+3K26/yK13E1KtGWMiBtO2ZG1G/uGjTS
+S4f76sR49JF30ShsatUM45jTu5Hws0eL0LnSOBfx8Ohy9ryKkSN7DXqZ/o91SgiC
+8ky0D29JiYuhH0Ys6i7SIEMGmjDdwIGVhfKwADTS3q85GCzO/rk+bEGF/7Bj4tes
+fzYBa1HwiOgINkm7n4/FTjqdPJA8FWTau1a+OMvpdYCckj5yzGwa02/3q3PlCb+M
+YFbESKKTCj/wxvs93kW8SnD2dIaT1iUuCYRtGwIDAQABAoIBAFNoXU+iqodkMgSl
+fDEHMCg1WugpMjvzpXsRg8HSqQZfDEu36I/7zvMK/30/fuZAakpdLQNLSERGFlb6
+h4y0ON0q7OAXi1RBjFr05r7yZyVuCI6FPHr/pZrP1JEekuXG4ZJ8MM7S3b8mhPIS
+KVmQNEvaOppXF9mbYw5vI25U4pvIljfAKZxkeU7aHb9asrnuBOwLjFRtLDTo13Nc
+dHTT3X+G+74mU8rYTV3njAmh9iE+PmDlc2mJckS/0TqpJbZgFueCCBIK5iJSc7lO
++DFFgRcouvnCdZW9fp6/8Hz4FGa2TX6jsYj/H1dGWELioUOoBwkdqFP9JaBvd7ni
+Nx2PObkCgYEA31rYJJ5jUiosf1I894MuEg2HWosXd0pVAPW3QjHdx7oiVUBRS5ZB
+YAOy5zeleLckfWKJiE4z/5CMdsEM/Q9F0X2xg3TDhxUM7A4px0AXAsbyJT7AcE0O
+kZBZjhluIF8O3Lic/LqzT39KgG35zvvd+H42Je1WvsCLSREL1MQDwCUCgYEAynak
+x41uazl5UaDwL+mahIVW+n/Bko3e9BhD7ZRkLI2+R7y180Fw7dMmnxG/jVw7hotk
+Ylx3Oa+JjnEplxTd1TShnP1aQ0nhnxnhS9EbIW8SjsazeK8V8zezJ54uZziVedgg
+x/ISvQM0yPbvkrSo4mQEjl3q4DjmIyg5Nx+cVD8CgYBGD0vPKLOE2V+9zED9bnNs
+DDxRxWFl9LX3KBwEsnmbpaIRVaxqZkY5ZM+gQU8xL1lNzzPOwqEC4Ad/VIzLcBf5
+X1DoKB8Q5yR3gvXN3yeYomjgD+/zCeiw9jNxJD7r/oU97NapW7LVE9t9r4F1UIHO
+6V/4w5q7GNBX6fXpFlcK1QKBgQCYNbYP5/4ZUm4otiucea0W7//B94YZndr9+7gl
+xqfA7xcca30G0i4KPfINKJSvu6VssyLW59kiXxu1INI5qRBVF2pg0f+oEsUyjYxZ
+KW2SJyT2fd+zXT3NShTANiWAqIOHxLpwV0dLHjvy0eKukm9dNABQ376Sr3Qk/jp1
+fKhUlQKBgAj6o2lw0vLOuQmqV08YF/UFWN/TZAcBzDE353fypi16aqY35pYSvUez
+64d1anTTwuq5fLGaQlH0XgGor/XbBqgif8eVyTRdfmA/2YQjwMIFyrWyxLpTiuiO
+0P6lO4B9NCT2N/gDPomdlOfkA2g063C21CPa43lr8lGx8oaQW95W
+-----END RSA PRIVATE KEY-----
diff --git a/share/junkCA/CA.srl b/share/junkCA/CA.srl
new file mode 100644
index 0000000..ea34835
--- /dev/null
+++ b/share/junkCA/CA.srl
@@ -0,0 +1 @@
+F10DF59AD0EE66E0
diff --git a/share/junkCA/CA2.pem b/share/junkCA/CA2.pem
new file mode 100644
index 0000000..8e2f099
--- /dev/null
+++ b/share/junkCA/CA2.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFJzCCBA+gAwIBAgIJAK3s6O4dAEQSMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
+VQQGEwJVUzEUMBIGA1UECBMLTXVsdGktc3RhdGUxEzARBgNVBAcTCm11bHRpLWNp
+dHkxJTAjBgNVBAoTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQgVFJVU1QxEzARBgNV
+BAsTCkRPTlQgVFJVU1QxJTAjBgNVBAMTHE9wZW5TaW11bGF0b3IgRGV2IERPTlQg
+VFJVU1QxIDAeBgkqhkiG9w0BCQEWEXRlcmF2dXNAZ21haWwuY29tMB4XDTA4MDkx
+MjE2MTEwNVoXDTE4MDgxMTE2MTEwNVowgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQI
+EwtNdWx0aS1zdGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3Bl
+blNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDEl
+MCMGA1UEAxMcT3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3
+DQEJARYRdGVyYXZ1c0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCwpTIw01Y6Lg7INnmDp9KHLC1p0Udg4Y9Ux232zd2tOTpjF7QnlHIO
+GKg8jE6SiaV4NPC9nRqgVCOMa6H7crbr/IrXcTUq0ZYyIG07ZkbUb+4aNNJLh/vq
+xHj0kXfRKGxq1QzjmNO7kfCzR4vQudI4F/Hw6HL2vIqRI3sNepn+j3VKCILyTLQP
+b0mJi6EfRizqLtIgQwaaMN3AgZWF8rAANNLerzkYLM7+uT5sQYX/sGPi16x/NgFr
+UfCI6Ag2Sbufj8VOOp08kDwVZNq7Vr44y+l1gJySPnLMbBrTb/erc+UJv4xgVsRI
+opMKP/DG+z3eRbxKcPZ0hpPWJS4JhG0bAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
+u0ZSqD+MrxiuSy0IsX5Iye8lHZswgfIGA1UdIwSB6jCB54AUu0ZSqD+MrxiuSy0I
+sX5Iye8lHZuhgcOkgcAwgb0xCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtNdWx0aS1z
+dGF0ZTETMBEGA1UEBxMKbXVsdGktY2l0eTElMCMGA1UEChMcT3BlblNpbXVsYXRv
+ciBEZXYgRE9OVCBUUlVTVDETMBEGA1UECxMKRE9OVCBUUlVTVDElMCMGA1UEAxMc
+T3BlblNpbXVsYXRvciBEZXYgRE9OVCBUUlVTVDEgMB4GCSqGSIb3DQEJARYRdGVy
+YXZ1c0BnbWFpbC5jb22CCQCt7OjuHQBEEjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
+DQEBBQUAA4IBAQAaI69OZmjTVcZxtWLASB9nv3WNEOxJW+aBjseUhyM4H9pJ5bkh
+MmgiG9JgnBUpNzL3/1EV2Ud8ZCBy7JxhvwWnJMjxJL67US16sKpCLVvNAD2pCZ6f
+iaT/qorLYP/yJ7OieYmAh5lZsvG8xJM44ZZyvtYEVBB+qZw1gHkb4hhf3roUCV67
+aHMDRRolWyWm6weid7wTWz38QfRohVWidH9CPwubG7K4zPrDpBJAZV1cKra1YTrM
+eje1GuIyHzpIAAYP5z1hgI9p/0oTrWnG7w7Ydkpm9lu50WMt1DScsYnh0MhW/uas
+e24cQsvz0m9PZlfAsJQeX6pbqlJppoX+XeVC
+-----END CERTIFICATE-----
diff --git a/share/junkCA/Certificate commands OpenSSL.txt b/share/junkCA/Certificate commands OpenSSL.txt
new file mode 100644
index 0000000..0167ee1
--- /dev/null
+++ b/share/junkCA/Certificate commands OpenSSL.txt
@@ -0,0 +1,82 @@
+To generate a cert request and sign it with the JunkCA

+

+REMEMBER TO APPEND THE CA2.pem file to the bottom of the app_settings/CA.pem in the Linden client folders or you won't be able to connect!

+

+Generate a Host Key:

+ openssl genrsa -out host.key 2048

+

+Generate a Certificate signing request with *OpenSSL*:

+  openssl req -new -nodes -key host.key -out host.csr

+  When prompted for: 'Common Name (eg, YOUR name) []:', please type the domain name that this certificate will be used on.

+

+Or you could;

+

+Generate a Certificate request with the *IIS Snapin*:

+  Go to Control Panel ---> Administrative tools ---> Internet Information Services

+  Pick a web site on your server.

+  right click, choose properties from the context menu

+  Go to the Directory Security tab

+  Click On the 'Server Certificate...' button

+  Click 'Prepare the request now, but send it later' and then follow the wizard.

+  Be sure to type the common name as the domain name that you will be servicing.   www.osgrid.org or whatever server will be using this cert

+

+Sign the certificate request with the junkCA;

+openssl x509 -req -days 3620 -CA CA.crt -CAkey CA.key -CAcreateserial -in host.csr -out signed.cer

+

+Import it into your MY store on windows.

+

+ If you used OpenSSL to generate the certificate;

+   openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert" 

+   server.crt is the signed cert from the CA.

+   server.key.unsecure is the *unencrypted* private key.

+

+   You will be asked for a password, set this if you want.

+

+   In Windows, fire up "mmc", add the certificates Snap-in, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier.

+

+   In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed.

+

+ If you used the IIS Snap-in, 

+   Go to Control Panel ---> Administrative tools ---> Internet Information Services

+   Pick a web site on your server.

+   right click, choose properties from the context menu

+   Go to the Directory Security tab

+   Click On the 'Server Certificate...' button

+   Choose the radio button that says, 'Assign an existing certificate'

+

+

+Mono, you must use httpcfg in the Mono-1.9.1/lib/mono/2.0 folder.

+ httpcfg -add -port <TYPE HTTPS PORT> -pvk <TYPE PRIVATE KEY FILE> -cert MyCert

+

+After that, make sure to set-up your opensim.ini!

+

+

+OpenSSL can be found:

+http://www.slproweb.com/products/Win32OpenSSL.html

+

+httpcfg.exe for windowsXP can be found:

+http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

+

+Windows Vista users need to use netsh http!

+

+---------------------------------------------------

+

+Additional notes

+

+To create your own CA

+

+openssl genrsa -out yourCA.key 2048

+openssl req -new -key yourCA.key -x509 -days 3620 -out yourCA.crt

+

+and the final step..  (AND THIS IS IMPORTANT)

+

+openssl x509 -in CA.crt -out yourCA.pem -outform PEM

+

+The last step will produce a certificate in the PEM format that you can append to the Linden client's app_settings/CA.pem file 

+so that it can validate certificates that are generated from your CA.   

+

+One last important thing!  

+

+All users that connect with linden clients 

+using SSL NEED the pem file you created in that last step appended to theirs, or their client will give them a weird error about 

+their clock being wrong!

diff --git a/share/junkCA/This Folder contains Junk CA files and directions for signing with it.   Comply with Export laws! b/share/junkCA/This Folder contains Junk CA files and directions for signing with it.   Comply with Export laws!
new file mode 100644
index 0000000..cab724a
--- /dev/null
+++ b/share/junkCA/This Folder contains Junk CA files and directions for signing with it.   Comply with Export laws!
@@ -0,0 +1 @@
+This Folder contains Junk CA files and directions for signing with it.   Comply with Export laws!
\ No newline at end of file