Using these methods Apache can be configured to positively identify connecting clients based on presented certificates. The server and the clients all use certificates signed by the same authority and each client is given a unique certificate. This serves to positively authenticate the user and reliabily identify the connection.

Create Certificate Authority

Create a working directory and openssl.cnf file specifically for this purpose.

# mkdir -p /opt/edoceo/etc/ssl
# cd /opt/edoceo/etc/ssl
# cp /etc/ssl/openssl.cnf ./

Edit openssl.cnf accordingly, adjusting paths and defaults in req_distingushed_name section.

Create a key, request and then self-sign.

# openssl genrsa -out ca.edoceo.key 1024
# openssl req -config ./openssl.cnf -new -key ca.edoceo.key -out ca.edoceo.csr
 [ answer questions for request ]
# openssl x509 -req -days 3660 -in ca.edoceo.csr -out ca.edoceo.crt -signkey ca.edoceo.key

Create Server & Client Certificates

Request and sign the web-server certificate, remember the passwords when prompted!

# openssl genrsa -des3 -out host.edoceo.key 1024
# openssl req -config openssl.cnf -new -key host.edoceo.key -out host.edoceo.csr
 [ answer questions for request ]
# openssl ca -config openssl.cnf -in host.edoceo.csr -cert ca.edoceo.crt -keyfile ca.edoceo.key -out host.edoceo.crt

Create Client Certifictes in PEM (openssl), PKCS#12 (firefox) and DER (internet explorer) formats. Enter a reasonable username (eg: "first.last") and organizational unit as these will be used for the authentication.

# openssl genrsa -des3 -out user.edoceo.key 1024
# openssl req -config openssl.cnf -new -key user.edoceo.key -out user.edoceo.csr
 [ answer questions for request ]
# openssl ca -config openssl.cnf -in user.edoceo.csr -cert ca.edoceo.crt -keyfile ca.edoceo.key -out user.edoceo.crt
# openssl pkcs12 -export -clcerts -in user.edoceo.crt -inkey user.edoceo.key -out user.edoceo.p12
# openssl x509 -inform PEM -in user.edoceo.crt -outform DER -out user.edoceo.der
# openssl x509 -inform PEM -in ca.edoceo.crt -outform DER -out ca.edoceo.der

Import the pkcs12 to Firefox and both DER files to Internet Explorer. These file can be shared (ie https://...) to the clients and browsers will automatically import them.

Configure Apache

This example configuration shows a secure host and ceritificate authenticated <Location>.


    DocumentRoot /var/www/

    # enable ssl
    SSLEngine on
    SSLOptions +StdEnvVars
    SSLCertificateFile /opt/edoceo/etc/ssl/host.edoceo.crt
    SSLCertificateKeyFile /opt/edoceo/etc/ssl/host.edoceo.key-open

    # this location requires client cert 
    <Location /client-certificate-required-here>
        SSLRequire %{SSL_CLIENT_S_DN_O} eq "Edoceo, Inc." and %{SSL_CLIENT_S_DN_OU} in {"Internet Engineering"}
        SSLVerifyClient require
        SSLVerifyDepth  1

See Also