Using these methods Apache can be configured to positively identify connecting clients based on presented certificates. The server and the clients all use certificates signed by the same authority and each client is given a unique certificate. This serves to positively authenticate the user and reliabily identify the connection.
Create Certificate Authority
Create a working directory and openssl.cnf file specifically for this purpose.
# mkdir -p /opt/edoceo/etc/ssl # cd /opt/edoceo/etc/ssl # cp /etc/ssl/openssl.cnf ./
Edit openssl.cnf accordingly, adjusting paths and defaults in req_distingushed_name section.
Create a key, request and then self-sign.
# openssl genrsa -out ca.edoceo.key 1024 # openssl req -config ./openssl.cnf -new -key ca.edoceo.key -out ca.edoceo.csr [ answer questions for request ] # openssl x509 -req -days 3660 -in ca.edoceo.csr -out ca.edoceo.crt -signkey ca.edoceo.key
Create Server & Client Certificates
Request and sign the web-server certificate, remember the passwords when prompted!
# openssl genrsa -des3 -out host.edoceo.key 1024 # openssl req -config openssl.cnf -new -key host.edoceo.key -out host.edoceo.csr [ answer questions for request ] # openssl ca -config openssl.cnf -in host.edoceo.csr -cert ca.edoceo.crt -keyfile ca.edoceo.key -out host.edoceo.crt
Create Client Certifictes in PEM (openssl), PKCS#12 (firefox) and DER (internet explorer) formats. Enter a reasonable username (eg: "first.last") and organizational unit as these will be used for the authentication.
# openssl genrsa -des3 -out user.edoceo.key 1024 # openssl req -config openssl.cnf -new -key user.edoceo.key -out user.edoceo.csr [ answer questions for request ] # openssl ca -config openssl.cnf -in user.edoceo.csr -cert ca.edoceo.crt -keyfile ca.edoceo.key -out user.edoceo.crt # openssl pkcs12 -export -clcerts -in user.edoceo.crt -inkey user.edoceo.key -out user.edoceo.p12 # openssl x509 -inform PEM -in user.edoceo.crt -outform DER -out user.edoceo.der # openssl x509 -inform PEM -in ca.edoceo.crt -outform DER -out ca.edoceo.der
Import the pkcs12 to Firefox and both DER files to Internet Explorer. These file can be shared (ie https://...) to the clients and browsers will automatically import them.
Configure Apache
This example configuration shows a secure host and ceritificate authenticated <Location>.
<VirtualHost 0.0.0.0:443> DocumentRoot /var/www/ssl.edoceo.com ServerName ssl.edoceo.com # enable ssl SSLEngine on SSLOptions +StdEnvVars SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /opt/edoceo/etc/ssl/host.edoceo.crt SSLCertificateKeyFile /opt/edoceo/etc/ssl/host.edoceo.key-open # this location requires client cert <Location /client-certificate-required-here> SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_O} eq "Edoceo, Inc." and %{SSL_CLIENT_S_DN_OU} in {"Internet Engineering"} SSLVerifyClient require SSLVerifyDepth 1 </Location> </VirtualHost>