Skip to content

Instantly share code, notes, and snippets.

@Psmths

Psmths/README.md

Last active February 6, 2021 16:03
Show Gist options
  • Save Psmths/45450e852cfa1565dead1d121702dc39 to your computer and use it in GitHub Desktop.
Save Psmths/45450e852cfa1565dead1d121702dc39 to your computer and use it in GitHub Desktop.
Download ZIP
Apache Client Certificate Authentication
Raw
README.md

Apache Client Certificate Authentication / Certificate Authority

By following this guide you will create an apache domain or subdomain with self-signed certificates, signed by your personal CA, and use this to authenticate clients. All certificates ECC.

I. Create the Certificate Authority

First, create the CA's key and certificate. This will be used to sign all other certificates. In this example it is valid for 1 year. For the CN field anything is acceptable, preferably ca.<yourdomain>.<yourtld>.

openssl req -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyform PEM -keyout selfsigned-ca.key -x509 -days 365 -outform PEM -out selfsigned-ca.crt

II. Create and Sign VHOST Certificate

This is the certificate presented by Apache when the client connects. For the CN, enter the FQDN of this VHOST. This process creates a key and a CSR to send to the CA.

openssl ecparam -name prime256v1 -genkey -noout -out key.pem
openssl ec -in key.pem -pubout -out public.pem
openssl req -new -key key.pem -out selfsigned.csr

Then, send the CSR to the CA for signing:

openssl x509 -req -in selfsigned.csr -CA selfsigned-ca.crt -CAkey selfsigned-ca.key -set_serial 100 -days 365 -outform PEM -out selfsigned.crt

III. Create and Sign Client Certificate

Exactly as before, create a certificate for the client, a CSR, and sign it with the CA. The CN here can be anything such as the person's name. It is wise to use a password, especially if you are installing the certificate on MacOS/iOS.

openssl ecparam -name prime256v1 -genkey -noout -out client-key.pem
openssl ec -in client-key.pem -pubout -out client-public.pem
openssl req -new -key client-key.pem -out client-cert.csr
openssl x509 -req -in client-cert.csr -CA selfsigned-ca.crt -CAkey selfsigned-ca.key -set_serial 100 -days 365 -outform PEM -out client-selfsigned.crt

In order to import this key, convert it to PKCS #12 format as shown below:

openssl pkcs12 -export -inkey client-key.pem -in client-selfsigned.crt -out client-selfsigned.p12

To verify the client key is valid:

openssl verify -CAfile selfsigned-ca.crt client-selfsigned.crt

IV. Move Key Material

It is wise to move the key materials to a safe directory. I chose /etc/pki. Move the following files:

selfsigned.crt
key.pem
selfsigned-ca.crt

These files are, respectively, the vhost certificate and key, and the certificate authority certificate. The last certificate is what will be used to validate the client.

V. Configure VHOST

Simply, add the following lines to the VHOST configuration for APACHE 2. Be sure to update the ServerName field correctly.

SSLEngine On
SSLCertificateFile /etc/pki/selfsigned.crt
SSLCertificateKeyFile /etc/pki/key.pem
    
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/pki/selfsigned-ca.crt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment