Some of these FAQs may be out of date. The document is currently being updated. Please feel free to send questions to pkif_support AT cygnacom DOT com.

1. What is Webcullis?

   Webcullis is a security plug-in for multiple https servers. It is designed to strengthen the web server's ability to limit access to files based on certificate policy or name constraints when the server implements X.509 PKI-based authorization schemes.

2. What platforms does Webcullis support?

   Webcullis currently runs on Microsoft's IIS 5.0 and 6.0 (Windows 2000 Server and Server 2003) and on Apache httpd version 2.0.47 and later on Windows, Solaris and Linux. A version for Netscape/Sun/iPlanet is currently under development and can be made available in pre-release form upon request.

3. What does Webcullis use to do certificate validation?

   Webcullis uses PKI Framework (PKIF) to do certificate validation. PKIF is a C++ software library designed to simplify the task of adding PKI support to applications. PKIF provides application developers a set of extensible classes that perform or provide an interface to a variety of PKI-related functionality.

4. Does Webcullis have JITC certification?

   Webcullis has been certified by the JITC lab on Windows/IIS and Red Hat/Apache.

5. Why turn off revocation checking in IIS?

   Webcullis performs revocation checking, and there is no reason to check twice. Additionally, there may be cases where Webcullis can find revocation data and IIS is unable to. Enabling revocation checking in IIS for these cases will lead to spurious rejection of valid client credentials.

6. Why should certificates from cross-certified infrastructures be validated using the bridge rather than simply using their root CAs in the trust store?

   This might be best illustrated with an example. Suppose you want to interoperate with the DST ACES PKI. The first step you need to take before users with DST credentials can use them is to install the DST ACES Root in your CAPI store. After you take this step, you'll observe that your server accepts DST ACES certificates. Let's suppose you stop after this step. Imagine that a malicious user fools the DST ACES CA into issuing a certificate to them under the name "CN=PACE.PETER.M, OU=USMC, OU=PKI, OU=DoD, O=U.S. Government, C=US", a subject alternative name of peter.pace@usmc.mil. The applications on that server would reasonably think that they were seeing peter.pace@usmc.mil authenticating with a CAC card because the certificate would be validated. Needless to say, you never want your applications to think a DST-credentialed user is Peter Pace.

   If, instead of stopping here, you install Webcullis or another authentication plugin capable of using a bridged infrastructure to validate credentials, such a certificate would be rejected because when you cross-certify with a bridge you place name constraints on the certificate you issue to the bridge which prevent the acceptance of a "DoD" credential issued by anyone other than the DoD PKI. You would also have policy constraints (and likely mapping) in place such that you'd never see a credential coming from DST as a CAC card. If you establish the interoperability, you need this extra piece in place to do so securely.

7. Why it is necessary to install CA certificates in the Microsoft CAPI certificate store?

   Installing root certificates into the Microsoft CAPI store serves two purposes. It allows Microsoft CAPI to successfully build certificate path to the root certificate, which is necessary for the initial handshake to succeed regardless of whether Webcullis is installed. Adding a root certificate to the store will also make it appear in the hint list send by IIS, ensuring that clients with credentials issued by that infrastructure will be offered the opportunity to present their certificate. When Webcullis is installed, this is safe because the final trust decision is made using the Webcullis trust store rather than the CAPI store.

8. Why does the Webcullis .msi installer complain about a missing .dll?

   The Microsoft installer service on the machine is out of date. Download the appropriate version for your system from Microsoft.

9. Will Webcullis work with my version of Apache?

   Webcullis works with almost any 2.0.x version of Apache. For best results, a Webcullis-specific version of mod_ssl is strongly recommended. The Webcullis download always includes a binary version of mod_ssl that works with a recent Apache, but site-specific configurations may require a customized version. The necessary patch to build one that matches your precise version of Apache (including site-specific configurations) is included with Webcullis. If you're not prepared to build a new mod_ssl but need the capabilities afforded by the Webcullis-specific module, contact us and we can help.

10. What of Linux versions does Webcullis support?

    Anything as new as or newer than RHEL 3. For newer versions, you should install your linux vendor's libc++5 compatibility package.

11. Does Webcullis support configuration of an OCSP responder?

    Yes! Just make sure Webcullis can trust the certificate your responder uses to sign its responses and configure its url using the LocalOCSPURL directive in the Webcullis configuration file.

The most current version of this document can always be found here.

All original content, images, and artwork are Copyright © 2003-2007 Cygnacom Solutions. This document may be reproduced in its entirety provided this notice and the above link to the current version remain intact and visible.