mirror of
https://github.com/internetee/registry.git
synced 2025-08-05 09:21:43 +02:00
Client-cert authentication
This commit is contained in:
parent
e33ab4dce9
commit
24415a2f21
1 changed files with 61 additions and 0 deletions
61
doc/ssl.md
Normal file
61
doc/ssl.md
Normal file
|
@ -0,0 +1,61 @@
|
|||
Setting up client-side certificate authentication
|
||||
-------------------------------------------------
|
||||
|
||||
This is written and tested on apache2.
|
||||
Requires openSSL, tested on OpenSSL version 1.0.1f 6 Jan 2014.
|
||||
First, setup openssl for use in being a certificate authority. For that you have to edit openssl.conf ( on debian based systems should be located at /etc/ssl/ )
|
||||
There are a lot of options there but some basics for example. Your policy_match will probably look different in production, also the default days (of key validity) should probably be not 10 years for production.
|
||||
|
||||
```
|
||||
default_ca = CA_development
|
||||
|
||||
[ CA_development ]
|
||||
dir = /etc/ssl/private
|
||||
database = $dir/index.txt
|
||||
serial = $dir/serial
|
||||
private_key = $dir/ca.key.pem
|
||||
certificate = $dir/ca.crt
|
||||
default_days = 3650
|
||||
default_md = md5
|
||||
new_certs_dir = $dir
|
||||
policy = policy_match
|
||||
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = match
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
```
|
||||
Following commands should be run in /etc/ssl/ unless you choose another location for your keys.
|
||||
Now you need cert authority key which can be generated by
|
||||
` openssl genrsa -out private/ca.key `
|
||||
Now generate a new certificate request with `openssl req -new -key private/ca.key -out private/ca.csr`
|
||||
And sign it `openssl x509 -req -days 3650 -in private/ca.csr -signkey private/ca.key -out private/ca.crt`
|
||||
Setup the first serial number for our keys, should be a 4 digit hex string `echo FAD0 > private/serial`
|
||||
Create key database `touch private/index.txt`
|
||||
And finally, create a cert revocation list for removing user certs `openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7`
|
||||
|
||||
Now, we need a certificate for our webserver. Don't bother putting a password on it since you need it to start apache. If there's a good workaround for this, please let us know.
|
||||
Let's generate the apache key, `openssl genrsa -out private/apache.key`
|
||||
Create a certificate request for it ` openssl req -new -key apache.key -out apache.csr` and sign it `openssl ca -in private/apache.csr -cert private/ca.crt -keyfile private/ca.key -out private/apache.crt`
|
||||
|
||||
|
||||
Now we are ready to setup apache to use our keys for authentication. A sample apache2 conf
|
||||
```
|
||||
SSLEngine on
|
||||
SSlOptions +StrictRequire
|
||||
SSLCertificateFile /etc/ssl/private/apache.crt
|
||||
SSLCertificateKeyFile /etc/ssl/private/apache.key
|
||||
SSLCACertificateFile /etc/ssl/private/ca.crt
|
||||
SSLVerifyClient require
|
||||
```
|
||||
*replace the repeating lines from previous apache conf with lines from this one*
|
||||
|
||||
There could be some more mojo needed to check if Certificates are expired and etc but I haven't really tested it out yet.
|
||||
|
||||
Now let's create an example user certificate.
|
||||
Start off with the key `openssl genrsa -des3 -out $base/users/$1/$1.key 1024` . Now a certificate signing request for that key `openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr` and finally let's sign it `openssl ca -in $base/users/$1/$1.csr -cert $base/ca.crt -keyfile $base/ca.key -out $base/users/$1/$1.crt` and we should be done.
|
||||
|
||||
In real life (!development), user should generate their own key and cert request.
|
Loading…
Add table
Add a link
Reference in a new issue