Setting up client-side certificate authentication
This is written and tested on apache2. Requires openSSL, tested on OpenSSL version 1.0.1f 6 Jan 2014. First, setup openssl for use in being a certificate authority. For that you have to edit openssl.conf ( on debian based systems should be located at /etc/ssl/ ) There are a lot of options there but some basics for example. Your policy_match will probably look different in production, also the default days (of key validity) should probably be not 10 years for production.
default_ca = CA_development [ CA_development ] dir = /etc/ssl/private database = $dir/index.txt serial = $dir/serial private_key = $dir/ca.key.pem certificate = $dir/ca.crt default_days = 3650 default_md = md5 new_certs_dir = $dir policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = match commonName = supplied emailAddress = optional
Following commands should be run in /etc/ssl/ unless you choose another location for your keys.
Now you need cert authority key which can be generated by
openssl genrsa -out private/ca.key
Now generate a new certificate request with
openssl req -new -key private/ca.key -out private/ca.csr
And sign it
openssl x509 -req -days 3650 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
Setup the first serial number for our keys, should be a 4 digit hex string
echo FAD0 > private/serial
Create key database
And finally, create a cert revocation list for removing user certs
openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7
Now, we need a certificate for our webserver. Don't bother putting a password on it since you need it to start apache. If there's a good workaround for this, please let us know.
Let's generate the apache key,
openssl genrsa -out private/apache.key
Create a certificate request for it
openssl req -new -key apache.key -out apache.csr and sign it
openssl ca -in private/apache.csr -cert private/ca.crt -keyfile private/ca.key -out private/apache.crt
Now we are ready to setup apache to use our keys for authentication. A sample apache2 conf
SSLEngine on SSlOptions +StrictRequire SSLCertificateFile /etc/ssl/private/apache.crt SSLCertificateKeyFile /etc/ssl/private/apache.key SSLCACertificateFile /etc/ssl/private/ca.crt SSLVerifyClient require
replace the repeating lines from previous apache conf with lines from this one
There could be some more mojo needed to check if Certificates are expired and etc but I haven't really tested it out yet.
Now let's create an example user certificate.
Start off with the key
openssl genrsa -des3 -out $base/users/$1/$1.key 1024 . Now a certificate signing request for that key
openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr and finally let's sign it
openssl ca -in $base/users/$1/$1.csr -cert $base/ca.crt -keyfile $base/ca.key -out $base/users/$1/$1.crt and we should be done.
In real life (!development), user should generate their own key and cert request.