<-
Apache > HTTP Server > Documentation > Version 2.5 > Programs

ctlogconfig - Certificate Transparency log configuration tool

ctlogconfig is a tool for creating and maintaining a log configuration database, for use with mod_ssl_ct.

Refer first to Log configuration in the mod_ssl_ct documentation.

Refer to the examples below for typical use.

See also

top

Synopsis

ctlogconfig /path/to/db dump

ctlogconfig /path/to/db configure-public-key [ log-id|record-id ] /path/to/public-key.pem

ctlogconfig /path/to/db configure-url [ log-id|record-id ] log-URL

ctlogconfig /path/to/db valid-time-range log-id|record-id min-timestamp max-timestamp

ctlogconfig /path/to/db trust log-id|record-id

ctlogconfig /path/to/db distrust log-id|record-id

ctlogconfig /path/to/db forget log-id|record-id

log-id
This is the id of the log, which is the SHA-256 hash of the log's public key, provided in hexadecimal format. This string is 64 characters in length.
record-id
This is the record number in the database, as displayed by the dump sub-command, prefixed with #. As an example, #4 references the fourth record in the database. (Use shell escaping as necessary.)
/path/to/public-key.pem
This is a file containing the log's public key in PEM format. The public key is not stored in the database. Instead, a reference to the file is stored. Thus, the file cannot be removed until the public key in the database is removed or changed.
min-timestamp, max-timestamp
A timestamp is a time as expressed in the number of milliseconds since the epoch, ignoring leap seconds. This is the form of time used in Signed Certificate Timestamps. This must be provided as a decimal number.
Specify - for one of the timestamps if it is unknown. For example, when configuring the minimum valid timestamp for a log which remains valid, specify - for max-timestamp.
SCTs received from this log by the proxy are invalid if the timestamp is older than min-timestamp or newer than max-timestamp.
top

Sub-commands

dump
Display configuration database contents. The record id shown in the output of this sub-command can be used to identify the affected record in other sub-commands.
configure-public-key
Add a log's public key to the database or set the public key for an existing entry. The log's public key is needed to validate the signature of SCTs received by a proxy from a backend server. (The database will be created if it does not yet exist.)
configure-url
Add a log's URL to the database or set the URL for an existing entry. The log's URL is used when submitting server certificates to logs in order to obtain SCTs to send to clients. (The database will be created if it does not yet exist.)
valid-time-range
Set the minimum valid time and/or the maximum valid time for a log. SCTs from the log with timestamps outside of the valid range will not be accepted. Use - for a time that is not being configured. (The database will be created if it does not yet exist.)
trust
Mark a log as trusted, which is the default setting. This sub-command is used to reverse a distrust setting. (The database will be created if it does not yet exist.)
distrust
Mark a log as distrusted. (The database will be created if it does not yet exist.)
forget
Remove information about a log from the database.
top

Examples

Consider an Apache httpd instance which serves as a TLS server and a proxy. The TLS server needs to obtain SCTs from a couple of known logs in order to pass those to clients, and the proxy needs to be able to validate the signature of SCTs received from backend servers.

First we'll configure the URLs for logs where server certificates are logged:

$ ctlogconfig /path/to/conf/log-config configure-url http://log1.example.com/
$ ctlogconfig /path/to/conf/log-config configure-url http://log2.example.com/
$ ctlogconfig /path/to/conf/log-config dump
Log entry:
Record 1
Log id : (not configured)
Public key file: (not configured)
URL : http://log1.example.com/
Time range : -INF to +INF

Log entry:
Record 2
Log id : (not configured)
Public key file: (not configured)
URL : http://log2.example.com/
Time range : -INF to +INF

Next we'll set the public key of a log where the certificate of our only backend server is published. In this case it is the log with URL http://log2.example.com/ which has already been configured.

$ ctlogconfig /path/to/conf/log-config configure-public-key \#2 /path/to/conf/log2-pub.pem
$ ctlogconfig /path/to/conf/log-config dump
Log entry:
Record 1
Log id : (not configured)
Public key file: (not configured)
URL : http://log1.example.com/
Time range : -INF to +INF

Log entry:
Record 2
Log id : (not configured)
Public key file: /path/to/conf/log2-pub.pem
URL : http://log2.example.com/
Time range : -INF to +INF

top