(Last modified: 07/15/01)

Introduction

This document demonstrates how Apache can be used to control access based on a web client's digital certificate. Three machines are used in this example:

• A Certificate Authority (CA), running OpenBSD, which validates and signs the client keys,
• A web server, running OpenBSD and Apache + mod_ssl, which only allows users with certificates signed by the CA to view its protected pages, and
• The client, running Windows 2000 and IE 5.5, which requests a key with openssl.exe, and attempts to view the pages protected by the web server.

  Note that in a production environment, the CA should be a separate machine and disconnected from the network.

   

  Create the Certificate Authority (CA)

  On the machine used for the CA, create a directory for its keys:

   

  mkdir -p /etc/ssl/ca/private
  chown -R root:wheel /etc/ssl/ca
  chmod 700 /etc/ssl/ca/private
  

  Next, generate a private key and a certificate request, and then self-sign the certificate.

   

  openssl genrsa -out ca.key 1024
  openssl req -new -key ca.key -out ca.csr
  openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
  

   

  Setup the Web Server Certificate

  On the web server, create a self-signed certificate for SSL requests:

   

  openssl genrsa -out server.key 1024
  openssl req -new -key server.key -out server.csr
  openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  

  Make sure the path(s) to the server certificate are correct in /var/www/conf/httpd.conf.

   

  Install the CA Certificate on the Web Server

  Copy the CA certificate (via floppy) to /var/www/conf/ssl.crt/ca.crt, on the web server.

  Tell the web server (Apache) where it can find the CA certificate, in httpd.conf:

   

  <VirtualHost _default_:443>
  ... 
  SSLCACertificateFile /var/www/conf/ssl.crt/ca.crt
  ...
  </VirtualHost>
  

   

  Require a Certificate for Access

  Tell Apache which URL (in this case /cert) to require authentication for. httpd.conf:

   

  <VirtualHost _default_:443>
  ...
  <Location /cert>
     SSLRequireSSL
     SSLVerifyClient require
     SSLVerifyDepth 10
  </Location>
  ...
  </VirtualHost>
  

  Shutdown and Restart httpd:

   

  apachectl stop
  /usr/sbin/httpd -DSSL
  

  Have the Client Request a Certificate

  On the client, generate a private key and certificate request:

   

  openssl genrsa -out client.key 1024
  openssl req -new -key client.key -out client.csr -config openssl.cnf
  

  OpenSSL for Win32 can be downloaded here.

  Note that OpenSSL won't be able to obtain a nice pseudo-random sample for its key generation, and will complain. However, it will allow you to specify a document for added entropy with the -rand switch. In testing, I created a file on the OpenBSD machine with dd if=/dev/srandom of=output.txt bs=4096 count=1, copied that file to Windows, and generated a key with openssl genrsa -rand output.txt -out client.key 1024.

   

  Have the Authority Sign the Certificate

  Copy the client request to the CA (via floppy), and sign the client request with the CA's private key:

   

  openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
  

  Copy the signed certificate (client.crt) back to the client.

   

  Import the Client Certificate

  Create a PKCS#12 document from the client private key and the signed certificate:

   

  openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
  

  Double click client.p12 to import, and select the default values.

  Finally, attempt to access the protected server pages (e.g. http://www.server.com/cert/).

  Known Issues

  The example generates 1024-bit keys. I tried 4096-bits for each key without success. Please drop me a note if you've solved this dilema.