Protect apache with client certs
This article describes howto protect an apache webserver with client certificates ...
- it was done on a RHEL 5.4 box
- make sure openssl etc is installed ...
Contents |
create a local root-CA
For signing certificates you need a CA. To make things easy we create a local root CA.
cd /etc/ mkdir my_ca cd my_ca touch my_index.txt echo 1000 > my_serial echo 1000 > my_crlnumber openssl req -new -x509 -keyout my_ca_private_key.pem -out my_ca_cert.pem
Follow the instructions on the screen:
Generating a 1024 bit RSA private key .....++++++ ............++++++ writing new private key to 'my_private_key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:DE State or Province Name (full name) [Berkshire]:Baden-Wuerttemberg Locality Name (eg, city) [Newbury]: ... Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: ... Common Name (eg, your name or your server's hostname) []: ... Email Address []: ...
This will generate 2 files:
- my_ca_cert.pem
- my_ca_private_key.pem
Protect your private key so no other user can read it ... remember your passphrase - you will need it later.
chmod 400 my_ca*
client revocation list
Now we create a CLR (client revocation list). This list will be used to invalidate certificates before their expiry date.
openssl ca -name MY_CA -gencrl -out my_ca_cert.crl
create client certificates
create a certificate request
openssl req -new -nodes -out my_new_user.csr -keyout my_new_user.key
Follow the instructions on the screen:
openssl req -new -nodes -out my_new_user.csr -keyout my_new_user.key Generating a 1024 bit RSA private key ........++++++ ..........................................++++++ writing new private key to 'my_new_user.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:DE State or Province Name (full name) [Berkshire]: ... Locality Name (eg, city) [Newbury]: ... Organization Name (eg, company) [My Company Ltd]: ... Organizational Unit Name (eg, section) []: ... Common Name (eg, your name or your server's hostname) []: YourName Email Address []: yourmail Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ... An optional company name []: ...
sign the csr with your CA
openssl ca -name MY_CA -in my_new_user.csr
This will generate one file with your serial.pem ...
convert pem to pfx / pkcs12 / p12
Most browsers use pfx files - not pem.
openssl pkcs12 -export -in 1000.pem -inkey my_new_user.key -certfile my_ca_cert.pem -name "Your Name => Your Name" -out 1000.p12
You will be asked for a export password ... this password has to be send to the user who imports the cert in his browser (my_export_password).
setup ssl in apache
create ssl certificate
For testing you can use a self signed certificate ...
openssl req -new -x509 -nodes -out my_ssl_hostname.crt -keyout my_ssl_hostname.key openssl x509 -x509toreq -signkey my_ssl_hostname.key -in my_ssl_hostname.crt
enable ssl in httpd.conf
Add this to your httpd.conf:
LoadModule ssl_module modules/mod_ssl.so SSLEngine On SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /path/to/your/my_ssl_hostname.crt SSLCertificateKeyFile /path/to/your/my_ssl_hostname.key SSLCARevocationFile /path/to/my_ca_cert.crl SSLCACertificateFile /path/to/my_ca_cert.pem SSLVerifyClient require SSLUserName SSL_CLIENT_S_DN_CN
Restart your apache to make it work ...
... of course you have to import the 1000.p12 file into your browser.
