zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-08-05 09:21:43 +02:00
Code Issues Projects Releases Packages Wiki Activity

Client-cert authentication

Browse source
This commit is contained in:
Andres Keskküla 2014-12-22 10:26:15 +02:00
parent e33ab4dce9
commit 24415a2f21
1 changed files with 61 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

61
doc/ssl.md Normal file
View file

@ -0,0 +1,61 @@
Setting up client-side certificate authentication
-------------------------------------------------
This is written and tested on apache2.
Requires openSSL, tested on OpenSSL version 1.0.1f 6 Jan 2014.
First, setup openssl for use in being a certificate authority. For that you have to edit openssl.conf ( on debian based systems should be located at /etc/ssl/ )
There are a lot of options there but some basics for example. Your policy_match will probably look different in production, also the default days (of key validity) should probably be not 10 years for production.
```
default_ca = CA_development
[ CA_development ]
dir = /etc/ssl/private
database = $dir/index.txt
serial = $dir/serial
private_key = $dir/ca.key.pem
certificate = $dir/ca.crt
default_days = 3650
default_md = md5
new_certs_dir = $dir
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional
```
Following commands should be run in /etc/ssl/ unless you choose another location for your keys.
Now you need cert authority key which can be generated by
` openssl genrsa -out private/ca.key `
Now generate a new certificate request with `openssl req -new -key private/ca.key -out private/ca.csr`
And sign it `openssl x509 -req -days 3650 -in private/ca.csr -signkey private/ca.key -out private/ca.crt`
Setup the first serial number for our keys, should be a 4 digit hex string `echo FAD0 > private/serial`
Create key database `touch private/index.txt`
And finally, create a cert revocation list for removing user certs `openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7`
Now, we need a certificate for our webserver. Don't bother putting a password on it since you need it to start apache. If there's a good workaround for this, please let us know.
Let's generate the apache key, `openssl genrsa -out private/apache.key`
Create a certificate request for it ` openssl req -new -key apache.key -out apache.csr` and sign it `openssl ca -in private/apache.csr -cert private/ca.crt -keyfile private/ca.key -out private/apache.crt`
Now we are ready to setup apache to use our keys for authentication. A sample apache2 conf
```
SSLEngine on
SSlOptions +StrictRequire
SSLCertificateFile /etc/ssl/private/apache.crt
SSLCertificateKeyFile /etc/ssl/private/apache.key
SSLCACertificateFile /etc/ssl/private/ca.crt
SSLVerifyClient require
```
*replace the repeating lines from previous apache conf with lines from this one*
There could be some more mojo needed to check if Certificates are expired and etc but I haven't really tested it out yet.
Now let's create an example user certificate.
Start off with the key `openssl genrsa -des3 -out $base/users/$1/$1.key 1024` . Now a certificate signing request for that key `openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr` and finally let's sign it `openssl ca -in $base/users/$1/$1.csr -cert $base/ca.crt -keyfile $base/ca.key -out $base/users/$1/$1.crt` and we should be done.
In real life (!development), user should generate their own key and cert request.