Setup Client SSL Certificate Authentication for Apache 2

Install Apache 2

* On Windows, follow this post to install Apache 2.
* Follow this post to setup Apache 2 to support SSL
* Test to see that https://www.my.com can be accessed

Setup Client Authentication

Generate Client Key and Certificate

* Generate client key (client_key.pem) and certificate signing request (CSR) (client_req.pem)

C:\OpenSSL\exampleca>set OPENSSL_CONF=C:\OpenSSL\exampleca\openssl.conf

C:\OpenSSL\exampleca>openssl req -newkey rsa:1024 -keyout client_key.pem -keyform PEM -out client_req.pem -outform PEM
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..........................................................................++++++
.........++++++
writing new private key to 'client_key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
commonName, e.g. www.exampleca.com [Example CA]:John Doe
stateOrProvinceName, e.g. Virginia [Virginia]:
countryName, e.g. US [US]:
emailAddress, e.g ca@exampleca.com [ca@exampleca.com]:johndoe@exampleca.com
organizationName, e.g. Example CA [Example CA]:

* Sign client CSR (client_req.pem) to obtain signed cert (certs\03.pem)

C:\OpenSSL\exampleca>openssl ca -in client_req.pem
Using configuration from C:\OpenSSL\exampleca\openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for C:/OpenSSL/exampleca/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'John Doe'
stateOrProvinceName   :PRINTABLE:'Virginia'
countryName           :PRINTABLE:'US'
emailAddress          :IA5STRING:'johndoe@exampleca.com'
organizationName      :PRINTABLE:'Example CA'
Certificate is to be certified until Jun 26 18:53:31 2012 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=Example CA, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
        Validity
            Not Before: Jun 27 18:53:31 2011 GMT
            Not After : Jun 26 18:53:31 2012 GMT
        Subject: CN=John Doe, ST=Virginia, C=US/emailAddress=johndoe@exampleca.com, O=Example CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:aa:33:7d:0f:93:51:69:8f:66:02:33:e7:57:b6:
                    85:82:74:e5:cd:b3:56:0c:df:b9:7c:bd:3f:99:17:
                    a4:2e:67:45:a8:09:54:7f:de:bc:88:d8:59:05:47:
                    ef:64:52:7f:e7:36:78:26:2b:03:70:b1:fd:83:12:
                    55:59:d0:47:e9:ff:db:ca:b3:63:28:ba:b9:15:2f:
                    45:f6:6c:ea:d6:fe:e9:15:82:1a:47:eb:63:94:6f:
                    bc:66:18:5e:21:00:c3:88:fc:82:1e:e6:30:e0:c0:
                    0c:cb:e1:70:8d:33:72:84:ab:24:84:90:29:64:00:
                    2f:e8:49:66:88:55:95:ae:21
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
    Signature Algorithm: md5WithRSAEncryption
        40:ac:f3:fc:a6:43:96:ab:00:c2:f1:77:fd:24:e6:51:68:fe:
        16:5e:27:8a:1c:31:88:78:85:49:24:35:a4:07:0e:f9:cc:fe:
        23:d6:ff:dc:63:47:4c:91:05:fb:33:b6:fc:f4:98:e2:d9:a5:
        0e:ef:4b:3c:fd:8b:ad:27:54:7b:30:c5:0b:59:46:72:48:d3:
        e7:5e:5e:31:8a:50:f4:98:ed:41:05:c8:e0:9d:a4:32:38:80:
        a5:f1:eb:67:a0:a3:38:08:83:ae:97:56:48:93:c7:7e:20:40:
        39:c7:5e:5d:29:47:48:63:ae:44:c0:4e:07:1f:82:e7:8e:cd:
        f8:3e:6a:8e:ff:af:17:83:2d:f9:34:54:37:f8:b6:3a:b8:3a:
        a2:d2:0e:c3:0b:b7:c2:ed:e6:46:bd:bc:1a:8d:1f:f6:4f:d6:
        99:1c:3a:c9:e9:64:22:6c:7c:18:92:b1:0f:b7:0b:c9:45:d0:
        4a:e7:83:2c:5e:c6:26:62:83:ef:66:e5:6f:1d:de:19:da:3b:
        e0:46:b3:14:d1:91:2a:67:8b:f3:42:12:be:7b:83:33:f7:b8:
        14:45:67:8b:f5:78:5f:bd:42:a5:36:ac:b2:1c:50:31:57:9d:
        fa:4f:d1:c3:e1:95:e0:b6:88:7c:69:43:86:bb:cc:83:0e:97:
        c1:2a:f5:fe
-----BEGIN CERTIFICATE-----
MIIC3TCCAcWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBrMRMwEQYDVQQDEwpFeGFt
cGxlIENBMREwDwYDVQQIEwhWaXJnaW5pYTELMAkGA1UEBhMCVVMxHzAdBgkqhkiG
9w0BCQEWEGNhQGV4YW1wbGVjYS5jb20xEzARBgNVBAoTCkV4YW1wbGUgQ0EwHhcN
MTEwNjI3MTg1MzMxWhcNMTIwNjI2MTg1MzMxWjBuMREwDwYDVQQDEwhKb2huIERv
ZTERMA8GA1UECBMIVmlyZ2luaWExCzAJBgNVBAYTAlVTMSQwIgYJKoZIhvcNAQkB
FhVqb2huZG9lQGV4YW1wbGVjYS5jb20xEzARBgNVBAoTCkV4YW1wbGUgQ0EwgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKozfQ+TUWmPZgIz51e2hYJ05c2zVgzf
uXy9P5kXpC5nRagJVH/evIjYWQVH72RSf+c2eCYrA3Cx/YMSVVnQR+n/28qzYyi6
uRUvRfZs6tb+6RWCGkfrY5RvvGYYXiEAw4j8gh7mMODADMvhcI0zcoSrJISQKWQA
L+hJZohVla4hAgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEEBQADggEB
AECs8/ymQ5arAMLxd/0k5lFo/hZeJ4ocMYh4hUkkNaQHDvnM/iPW/9xjR0yRBfsz
tvz0mOLZpQ7vSzz9i60nVHswxQtZRnJI0+deXjGKUPSY7UEFyOCdpDI4gKXx62eg
ozgIg66XVkiTx34gQDnHXl0pR0hjrkTATgcfgueOzfg+ao7/rxeDLfk0VDf4tjq4
OqLSDsMLt8Lt5ka9vBqNH/ZP1pkcOsnpZCJsfBiSsQ+3C8lF0ErngyxexiZig+9m
5W8d3hnaO+BGsxTRkSpni/NCEr57gzP3uBRFZ4v1eF+9QqU2rLIcUDFXnfpP0cPh
leC2iHxpQ4a7zIMOl8Eq9f4=
-----END CERTIFICATE-----
Data Base Updated

* Rename signed cert from 03.pem to client_cert.pem

C:\OpenSSL\exampleca>cd certs

C:\OpenSSL\exampleca\certs>dir

 Directory of C:\OpenSSL\exampleca\certs

06/27/2011  02:53 PM             3,289 03.pem

C:\OpenSSL\exampleca\certs>rename 03.pem client_cert.pem

C:\OpenSSL\exampleca\certs>dir clien*

 Directory of C:\OpenSSL\exampleca\certs

06/27/2011  02:53 PM             3,289 client_cert.pem

C:\OpenSSL\exampleca\certs>cd ..

* Convert from PEM to PKCS#12 format so it can be imported into Firefox:

C:\OpenSSL\exampleca>openssl pkcs12 -export -clcerts -in certs\client_cert.pem -inkey client_key.pem -out client_cert.p12
Loading 'screen' into random state - done
Enter pass phrase for client_key.pem:
Enter Export Password:
Verifying - Enter Export Password:

C:\OpenSSL\exampleca>dir client*

 Directory of C:\OpenSSL\exampleca

06/27/2011  03:05 PM             1,757 client_cert.p12
06/27/2011  02:53 PM             1,041 client_key.pem
06/27/2011  02:53 PM               660 client_req.pem

Enable Client Authentication

* Add to http.conf:

Listen 443
<VirtualHost _default_:443>
  SSLEngine on
  SSLCertificateFile conf/apache_cert.pem
  SSLCertificateKeyFile conf/apache_key_nopass.pem
 
  #################
  SSLVerifyClient require
  SSLVerifyDepth 10
  #################
</VirtualHost>

* Restart Apache
* Test to see that https://www.my.com can NOT be accessed anymore.

Setup Client SSL Authentication

* Modify httpd.conf to include CA cert:
– Copy cacert.pem to Apache 2 conf directory
– Modify httpd.conf to include cacert.pem with SSLCACertificateFile directive:

Listen 443
<VirtualHost _default_:443>
  SSLEngine on
  SSLCertificateFile conf/apache_cert.pem
  SSLCertificateKeyFile conf/apache_key_nopass.pem
 
  SSLVerifyClient require
  SSLVerifyDepth 10
  #################
  SSLCACertificateFile conf/cacert.pem
  #################
</VirtualHost>

Setup Firefox Browser for Client Authentication

* Import client_cert.p12 into Firefox browser:
– Tools -> Options -> Advanced -> Encryption -> View Certificates -> Your Certificates -> Import -> client_cert.p12

* Import CA certificate if not already done:
– Tools -> Options -> Advanced -> Encryption -> View Certificates -> Authorities -> Import -> cacert.pem

* Turn on automatic selection when request for personal certificate:
– Tools -> Options -> Advanced -> Encryption -> Select one automatically

Test Client Authentication

* Restart Apache
* Important! restart Firefox browser as well.
* Test to see the page can be loaded again now.

Setup CRL

Revoke Client Certificate (client_cert.pem)

openssl ca -revoke certs\client_cert.pem

C:\OpenSSL\exampleca>openssl ca -revoke certs\client_cert.pem
Using configuration from C:\OpenSSL\exampleca\openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for C:/OpenSSL/exampleca/private/cakey.pem:
Revoking Certificate 03.
Data Base Updated

Generate CRL: exampleca.crl

openssl ca -gencrl -out exampleca.crl

C:\OpenSSL\exampleca>openssl ca -gencrl -out exampleca.crl
Using configuration from C:\OpenSSL\exampleca\openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for C:/OpenSSL/exampleca/private/cakey.pem:

Setup CRL

* Create a crl directory, e.g. C:\prog\Apache2.2\conf\crl
* Copy exampleca.crl to the newly created crl directory
* Modify http.conf to point SSLCARevocationFile to crl file

Listen 443
<VirtualHost _default_:443>
  SSLEngine on
  SSLCertificateFile conf/apache_cert.pem
  SSLCertificateKeyFile conf/apache_key_nopass.pem
 
  SSLVerifyClient require
  SSLVerifyDepth 10
  SSLCACertificateFile conf/cacert.pem
  SSLCARevocationFile conf/crl/exampleca.crl
</VirtualHost>

* Restart Apache
* Test to see that the page can not be loaded anymore
* Check to see that Apache 2 logs\error.log file contains certificate revoked error

[error] [client 127.0.0.1] Certificate Verification: Error (23): certificate revoked

Unix only: Use SSLCARevocationPath Instead of SSLCARevocationFile

* Create a soft link for every crl file in the crl directory:

ln -s exampleca.crl `openssl crl -hash -noout -in exampleca.crl`.r0

* Point SSLCARevocationPath to the crl directory

SSLCARevocationPath /dir/to/crl

* Restart Apache
* Test to see that the page can not be loaded anymore

References

* Client certificates with apache
* Feature: Using Certificate Revocation Lists

This entry was posted in apache, ssl. Bookmark the permalink.

2 Responses to Setup Client SSL Certificate Authentication for Apache 2

Leave a Reply

Your email address will not be published. Required fields are marked *


*

This site uses Akismet to reduce spam. Learn how your comment data is processed.