http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html
http://wiki.cacert.org/ApacheServerClientCertificateAuthentication
Server & User Certificates
Issue both server and user certificates (see https://sites.google.com/site/bingsite/protocol-service/key-certificate-openssl)
bing@binginspiron:~/Work/IT/CA$ openssl req -newkey rsa:2048 -nodes -sha1 -keyout private_users/docs.eastip.com.key -keyform PEM -out private_users/docs.eastip.com.req -outform PRM
copy above files to server
Enable apache ssl module
a2enmod ssl
a2ensite default-ssl
Setup Server Certificate
edit /etc/apache2/sites-enabled/default-ssl
" SSLCertificateFile /etc/ssl/certs/docs.eastip.com.pem
SSLCertificateKeyFile /etc/ssl/private/docs.eastip.com.key
"
restart server "service apache2 restart"
Setup Client Verification
edit /etc/apache2/sites-enabled/default-ssl and put the follows
(note: SSLVerifyClient optional combined with Rewrite is to provide better error message)
(note: use a new dir to hold trusted certificates - the old one has already many trusted CA and we do not want to use them)
SSLVerifyClient optional
SSLVerifyDepth 3
# Certificate Error Handling (see http://wiki.cacert.org/ApacheServerClientCertificateAuthentication)
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteRule .? - [F]
ErrorDocument 403 "ACCESS DENIED: You need a client side certificate issued by EAST IP to access this site"
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
SSLCACertificatePath /etc/ssl/eastip_certs/
mkdir /etc/ssl/eastip_certs
chmod 755 /etc/ssl/eastip_certs
copy eastip CA certificate to /etc/ssl/eastip_certs, then, at the /etc/ssl/eastip_certs dir, make hash links:
c_rehash .
Now restart server and try to access the site, should require a client certificate.
Instead of using SSLCACertificatePath, can use SSLCACertificateFile instead, which is simpler if only one or a few certificates are trusted.
Fake Basic Authentication
Setup Fake Basic Auth (specify allowed user in a list)
# Allowing Specific Certificates
SSLOptions +FakeBasicAuth
SSLRequireSSL
AuthName "DOCS Area"
AuthType Basic
AuthUserFile /var/www/.docspasswd
require valid-user
content in password file (/var/www/.docspasswd) is like below:
/CN=Daniel Black/emailAddress=daniel@cacert.org:xxj31ZMTZzkVA
part before ":" is the subject of the certificate, can be obtained by "openssl x509 -noout -subject -in certificate.crt"
However, fake authentication puts the Subject as authenticated user and can disturb the application when used in reverse-proxy scenario. In that case, use SSLRequire as below.
SSLRequire
See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslrequire
Example:
SSLRequireSSL
SSLRequire (%{SSL_CLIENT_S_DN_O} in {"East IP Inc."} and %{SSL_CLIENT_S_DN_Email} in {"bing.ren@eastip.com"})
When being used to specify a list of allowed users, can use the file function and put the list of emails in a file.
Note this needs to be in a directory directive (such as <Proxy *>)