Setting up client-side certificate authentication ------------------------------------------------- This is written and tested on apache2. Requires openSSL, tested on OpenSSL version 1.0.1f 6 Jan 2014. First, setup openssl for use in being a certificate authority. For that you have to edit openssl.conf ( on debian based systems should be located at /etc/ssl/ ) There are a lot of options there but some basics for example. Your policy_match will probably look different in production, also the default days (of key validity) should probably be not 10 years for production. ``` default_ca = CA_development [ CA_development ] dir = /etc/ssl/private database = $dir/index.txt serial = $dir/serial private_key = $dir/ca.key.pem certificate = $dir/ca.crt default_days = 3650 default_md = md5 new_certs_dir = $dir policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = match commonName = supplied emailAddress = optional ``` Following commands should be run in /etc/ssl/ unless you choose another location for your keys. Now you need cert authority key which can be generated by ` openssl genrsa -out private/ca.key ` Now generate a new certificate request with `openssl req -new -key private/ca.key -out private/ca.csr` And sign it `openssl x509 -req -days 3650 -in private/ca.csr -signkey private/ca.key -out private/ca.crt` Setup the first serial number for our keys, should be a 4 digit hex string `echo FAD0 > private/serial` Create key database `touch private/index.txt` And finally, create a cert revocation list for removing user certs `openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7` Now, we need a certificate for our webserver. Don't bother putting a password on it since you need it to start apache. If there's a good workaround for this, please let us know. Let's generate the apache key, `openssl genrsa -out private/apache.key` Create a certificate request for it ` openssl req -new -key apache.key -out apache.csr` and sign it `openssl ca -in private/apache.csr -cert private/ca.crt -keyfile private/ca.key -out private/apache.crt` Now we are ready to setup apache to use our keys for authentication. A sample apache2 conf ``` SSLEngine on SSlOptions +StrictRequire SSLCertificateFile /etc/ssl/private/apache.crt SSLCertificateKeyFile /etc/ssl/private/apache.key SSLCACertificateFile /etc/ssl/private/ca.crt SSLVerifyClient require ``` *replace the repeating lines from previous apache conf with lines from this one* There could be some more mojo needed to check if Certificates are expired and etc but I haven't really tested it out yet. Now let's create an example user certificate. Start off with the key `openssl genrsa -des3 -out $base/users/$1/$1.key 1024` . Now a certificate signing request for that key `openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr` and finally let's sign it `openssl ca -in $base/users/$1/$1.csr -cert $base/ca.crt -keyfile $base/ca.key -out $base/users/$1/$1.crt` and we should be done. In real life (!development), user should generate their own key and cert request.