Server Authentication With Client Certificate X.509

philippmayrth

Philipp

Posted on April 3, 2021

Server Authentication With Client Certificate X.509

Introduction

Basics of setting up certificate based authentication on Apache.

Assumptions

Your Server is already configured to use SSL/TLS. This is required because the browser refuses to use its certificate for authentication on an insecure connection.

Creating all the files we need

Note: The key sizes and expiration dates must be adjusted to suite your need.

Create the CA

openssl genrsa -out CA.key 2048
openssl req -x509 -new -nodes -key CA.key -days 7300 -out CA.pem
Enter fullscreen mode Exit fullscreen mode

Create a signing request and signing it with the CA private key

openssl genrsa -out alice.key 2028
openssl req -new -key alice.key -out alice.csr
openssl x509 -sha256 -req -in alice.csr -out alice.crt -CA CA.pem -CAkey CA.key -CAcreateserial -days 1095
Enter fullscreen mode Exit fullscreen mode

Convert the alice.crt to alice.p12 so a browser knows what to do with it. (Note: On safari the .p12 file has to have a password for the import to work)

openssl pkcs12 -export -clcerts -in alice.crt -inkey alice.key -out alice.p12
Enter fullscreen mode Exit fullscreen mode

Convert the .p12 to .pam so tools like curl can use it

openssl pkcs12 -in alice.p12 -out alice.pem -clcerts
Enter fullscreen mode Exit fullscreen mode

Configuring Apache

copy your CA.pem in a file readable by apache. In my case it is /home/CA.pem but this might differ for your server.

in your virtual hosts configuration file add SSLCACertificateFile and SSLVerifyClient like shown below.

<IfModule mod_ssl.c>
<VirtualHost *:443>

    SSLCACertificateFile /home/CA.pem
    SSLVerifyClient require


# ..... your additional configuration here
# .....

</VirtualHost>
</IfModule>
Enter fullscreen mode Exit fullscreen mode

Finally… we can use it

To use the certificate with curl

curl -E alice.pem https://restricted.example.de
Enter fullscreen mode Exit fullscreen mode

To install in Safari on a Mac just double click the .p12 file and follow the instructions

To install on iOS the file can be send by email (messengers don’t work) and installed by tapping on it and following the instructions. If the file is considered a production file it should NOT be send over the internet instead plug in a usb cord and transfer via iTunes.

💖 💪 🙅 🚩
philippmayrth
Philipp

Posted on April 3, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related