Back | Next | Contents Cams Administrator's Guide

Configuring Apache 2.0 for SSL/TLS Mutual Authentication using an OpenSSL Certificate Authority

Apache 2 and OpenSSL provide a useful, easy-to-configure and cost-effective mutual SSL/TLS authentication development and test environment. This document provides instructions for configuring X.509 client certificate authentication using the following system components:

The following steps are required:

  1. Creating a Certificate Authority using OpenSSL
  2. Creating a Web Server Certificate
  3. Configuring Apache 2.0 SSL
  4. Creating a Client Certificate
  5. Importing a Client Certificate into Web Browsers
  6. Configuring Apache to Require a Client Certificate
  7. Configuring Apache 2 with a Certificate Revocation List (CRL)

Creating a Certificate Authority using OpenSSL

A Certificate Authority (CA) creates and manages certificates for web servers, web clients, email encryption, code signing, etc. For our purposes, we’ll want to setup a CA so that we can create web server X.509 certificates that will enable use of SSL and client X.509 certificates that will enable client authentication.

Although almost all commercial web sites use X.509 certificates issued by well known public certificate authorities like Verisign and Thawte, it is also common for companies to serve as their own certificate authority for intranet and extranet sites. We’ll use OpenSSL on Linux/UNIX to configure our own CA and issues certificates for development purposes.

Keep in mind that the root CA certificate that you will create will be used by the Apache 2 web server to establish a chain of trust when authenticating clients that present an X.509 certificate. The root CA certificate will also need to be imported into your web browser so it can resolve the certificate returned from the web server to a trusted CA.

Configuring OpenSSL

OpenSSL provides all the functionality required to setup a certificate authority, issue web server certificates, issue client certificates and revoke certificates. As a convenience, OpenSSL provides a configuration file that can be used to retain default values used within the management context of a CA. As a first step, you’ll want to confirm that the openssl command is in your PATH:

% which openssl
/usr/bin/openssl

If the openssl command is not in your PATH, then you’ll either need to find it or install it. The following instructions will assume that the OpenSSL distribution is installed in a tree at /usr/local/ssl and the openssl command is installed in directory /usr/local/ssl/bin.

Before editing the OpenSSL configuration file, make a backup copy of the original:

% cd /usr/local/ssl
% cp openssl.cnf openssl.cnf.ORIG

Next, you’ll need to edit file openssl.cnf and edit the values shown in bold red below.

WARNING: Only a subset of the file is shown, so don’t copy and paste what’s shown below into the file.

####################################################################
[ ca ]
default_ca = cafesoftCA # The default ca section

####################################################################
[ cafesoftCA ]

dir = /usr/local/ssl/cafesoftCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/CA/cafesoftCA.crt # The CA certificate
serial = $dir/serial # The current serial number
#crlnumber = $dir/crlnumber # the current crl number must be
# commented out to leave a V1 CRL
crl = $dir/CA/cafesoftCA.crl # The current CRL
private_key = $dir/CA/cafesoftCA.key # The private key
RANDFILE = $dir/private/.rand # private random number file

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = CA

localityName = Locality Name (eg, city)
localityName_default = San Diego

0.organizationName = Organization Name (eg, company)
0.organizationName_default = Cafesoft LLC

# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName = Common Name (eg, YOUR name)
commonName_max = 64

emailAddress = Email Address
emailAddress_default = ca@cafenet.com
emailAddress_max = 64

Creating the Certificate Management Directories and Files

Next, we’ll create a directory hierarchy for managing the keys, certificates and other files associated with the cafesoftCA certificate authority. Issue the following commands exactly as shown:

% CD /usr/local/ssl
% mkdir cafesoftCA
% CD cafesoftCA
% mkdir CA
% mkdir server
% mkdir server/certificates
% mkdir server/requests
% mkdir server/keys
% mkdir user
% mkdir user/certificates
% mkdir user/requests
% mkdir user/keys

The CA directory will be populated with the certificate authority certificate request, keys and certificate used to sign server and user certificates. The server directory hierarchy will be used to manage certificate requests, keys and certificates issued for web server hosts. The user directory hierarchy will be used to manage certificate requests, keys and certificates for users.

OpenSSL also uses certain files to keep track of the last unique serial number assigned to a generated certificate and an index of valid and revoked certificates. Issue the following commands to setup default contents for these files:

% CD /usr/local/ssl/cafesoftCA
% echo “01” > serial
% touch index.txt

The openssl.cnf file that you edited earlier references these files so make sure they are created in the cafesoftCA directory.

Creating the cafesoftCA Key and Certificate

The general process for creating a certificate includes:

  1. Creating a private key
  2. Creating a certificate request
  3. Creating and signing a certificate from the certificate request

First, create the CA key:

% CD /usr/local/ssl/cafesoftCA
% openssl genrsa –out ./CA/cafesoftCA.key 1024
Generating RSA private key, 1024 bit long modulus
.....++++++
......++++++
e is 65537 (0x10001)

Next, create the CA certificate request:

% openssl req –new –key ./CA/cafesoftCA.key –out ./CA/cafesoftCA.csr
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [San Diego]:
Organization Name (eg, company) [Cafesoft LLC]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Cafesoft CA
Email Address [ca@cafenet.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:


Then, self-sign the CA certificate:

% openssl x509 –req -days 3650 –in ./CA/cafesoftCA.csr –out ./CA/cafesoftCA.crt –signkey ./CA/cafesoftCA.key
Signature ok
subject=/C=US/ST=CA/L=San Diego/O=Cafesoft LLC/CN=Cafesoft CA/emailAddress=ca@cafenet.com
Getting Private key

Verifying the CA certificate contents

At this point we have our self-signed CA certificate and our CA key, which will be used to sign the web server and client certificates that we create. To verify the certificate contents, use the following command:

% openssl x509 –in ./CA/cafesoftCA.crt –text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
CD:93:0b:9f:5a:71:eb:8b
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=CA, L=San Diego, O=Cafesoft LLC, CN=Cafesoft CA/emailAddress=ca@cafenet.com
Validity
Not Before: Aug 17 22:52:54 2005 GMT
Not After : Aug 17 22:52:54 2006 GMT
Subject: C=US, ST=CA, L=San Diego, O=Cafesoft LLC, CN=Cafesoft CA/emailAddress=ca@cafenet.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b5:5d:56:f8:08:fc:4f:c6:7a:c1:ff:4e:c3:c6:
f7:e7:ba:0f:2a:e2:ff:9f:04:ca:50:a8:47:a0:4a:
00:bb:da:d7:4b:17:9b:33:d7:7e:29:0d:8b:db:c2:
e8:b0:75:b7:10:43:6a:62:2b:0c:8e:d6:bf:cb:d3:
79:fb:63:89:1e:42:2e:e7:b9:ab:e0:99:d6:0c:84:
c3:21:1d:76:bb:63:de:9b:e2:6f:50:dB:bb:63:0b:
3a:96:77:10:c2:14:7e:2d:1a:b4:16:49:ca:02:e0:
eb:9f:4f:78:69:6b:27:68:4c:a7:e5:ce:7a:94:a4:
ff:71:55:e7:bb:f5:3e:2d:19
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
b4:f0:b6:39:d4:38:CB:82:43:14:27:4a:d0:de:64:fc:b0:8e:
e4:fa:29:42:0c:82:91:e5:ac:4e:07:a2:d3:b1:76:b7:7d:9d:
07:12:66:9d:35:aa:61:22:dB:ac:be:e1:92:68:00:98:46:c4:
24:6c:d1:b8:d1:d4:6d:70:d3:bc:07:37:55:dd:ac:a2:d0:5b:
58:52:a5:16:30:6d:4c:54:bb:08:e6:96:30:31:78:b8:f7:dB:
4a:fb:CD:07:7a:21:e9:64:62:ca:7d:52:d0:3b:d2:92:af:98:
37:18:a5:25:1b:5a:DA:00:31:67:69:87:65:e8:a0:ea:f8:11:
c9:e5
-----BEGIN CERTIFICATE-----
MIICazCCAdQCCQDNkwufWnHrizANBgkqhkiG9w0BAQQFADB6MQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBEaWVnbzEVMBMGA1UEChMMQ2Fm
ZXNvZnQgTExDMRQwEgYDVQQDEwtDYWZlc29mdCBDQTEdMBsGCSqGSIb3DQEJARYO
Y2FAY2FmZW5ldC5jb20wHhcNMDUwODE3MjI1MjU0WhcNMDYwODE3MjI1MjU0WjB6
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBEaWVnbzEV
MBMGA1UEChMMQ2FmZXNvZnQgTExDMRQwEgYDVQQDEwtDYWZlc29mdCBDQTEdMBsG
CSqGSIb3DQEJARYOY2FAY2FmZW5ldC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBALVdVvgI/E/GesH/TsPG9+e6Dyri/58EylCoR6BKALva10sXmzPXfikN
i9vC6LB1txBDamIrDI7Wv8vTeftjiR5CLue5q+CZ1gyEwyEddrtj3pvib1Dbu2ML
OpZ3EMIUfi0atBZJygLg659PeGlrJ2hMp+XOepSk/3FV57v1Pi0ZAgMBAAEwDQYJ
KoZIhvcNAQEEBQADgYEAtPC2OdQ4y4JDFCdK0N5k/LCO5PopQgyCkeWsTgei07F2
t32dBxJmnTWqYSLbrL7hkmgAmEbEJGzRuNHUbXDTvAc3Vd2sotBbWFKlFjBtTFS7
COaWMDF4uPfbSvvNB3oh6WRiyn1S0DvSkq+YNxilJRta2gAxZ2mHZeig6vgRyeU=
-----END CERTIFICATE-----

Creating a Web Server Certificate

The procedure for creating a web server certificate is similar to that for creating the CA certificate except that the web server certificate will be signed using the CA key rather than self-signing with a web server-specific key.

First, create the web server private key using a fully qualified DNS name such as linus.cafenet.com. When prompted for the pass phrase, enter a password that you can remember.

% CD /usr/local/ssl/cafesoftCA
% openssl genrsa –des3 –out ./server/keys/linus.cafenet.com.key 1024
Generating RSA private key, 1024 bit long modulus
.......++++++
.++++++
e is 65537 (0x10001)
Enter pass phrase for ./server/keys/linus.cafenet.com.key:
Verifying - Enter pass phrase for ./server/keys/linus.cafenet.com.key:

Next, create the web server certificate request using the same fully qualified DNS name you used for the private key. When prompted for the pass phrase for the keys in file ./server/keys/linus.cafenet.com.key, enter the pass phrase that you used for the private key. Also, it is vitally important that you set the Common Name value to the fully qualified DNS name of your web server because that’s the value that a browser client will verify when it receives the web server’s certificate.

% openssl req –new –key ./server/keys/linus.cafenet.com.key –out ./server/requests/linus.cafenet.com.csr
Enter pass phrase for ./server/keys/linus.cafenet.com.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [San Diego]:
Organization Name (eg, company) [Cafesoft LLC]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:linus.cafenet.com
Email Address [ca@cafenet.com]:root@cafenet.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Then, sign the web server certificate with the CA key:

% openssl ca -days 3650 –in server/requests/linus.cafenet.com.csr –cert ./CA/cafesoftCA.crt –keyfile ./CA/cafesoftCA.key –out ./server/certificates/linus.cafenet.com.crt -config openssl.cnf
Using configuration from /usr/local/ssl/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature OK
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Aug 18 17:41:07 2005 GMT
Not After : Aug 18 17:41:07 2006 GMT
Subject:
countryName = US
stateOrProvinceName = CA
organizationName = Cafesoft LLC
commonName = linus.cafenet.com
emailAddress = ca@cafenet.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0A:6B:79:E7:98:5F:30:7F:A0:67:4A:12:83:9C:0A:58:BE:8B:41:2A
X509v3 Authority Key Identifier:
DirName:/C=US/ST=CA/L=San Diego/O=Cafesoft LLC/CN=Cafesoft CA/emailAddress=ca@cafenet.com
serial:CD:93:0B:9F:5A:71:EB:8B

Certificate is to be certified until Aug 18 17:41:07 2006 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

To verify the web server certificate contents, use the following command:

% openssl x509 –in ./server/certificates/linus.cafenet.com.crt –text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=CA, L=San Diego, O=Cafesoft LLC, CN=Cafesoft CA/emailAddress=ca@cafenet.com
Validity
Not Before: Aug 18 17:41:07 2005 GMT
Not After : Aug 18 17:41:07 2006 GMT
Subject: C=US, ST=CA, O=Cafesoft LLC, CN=linus.cafenet.com/emailAddress=ca@cafenet.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a4:72:f9:fd:61:c8:bb:41:d6:b0:27:31:dc:1b:
5c:85:24:cc:9e:45:c7:51:e9:82:0a:1a:0e:a6:fc:
82:35:ec:00:5d:2e:d5:f7:61:d2:22:9c:70:ee:b5:
76:78:27:CE:26:69:e8:EC:51:02:83:b5:de:6a:4c:
de:6d:f9:39:33:6f:f7:40:BC:9a:d0:be:84:f3:d0:
2f:35:14:92:33:55:ed:6b:93:8d:f3:8b:11:68:e9:
b2:7a:fe:56:b1:2e:d0:7a:65:98:b6:d2:f1:4b:ea:
EC:ff:7b:28:44:35:7a:0f:9c:0c:8b:07:4a:24:33:
04:32:d4:e9:3a:52:68:42:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0A:6B:79:E7:98:5F:30:7F:A0:67:4A:12:83:9C:0A:58:BE:8B:41:2A
X509v3 Authority Key Identifier:
DirName:/C=US/ST=CA/L=San Diego/O=Cafesoft LLC/CN=Cafesoft CA/emailAddress=ca@cafenet.com
serial:CD:93:0B:9F:5A:71:EB:8B

Signature Algorithm: md5WithRSAEncryption
49:f9:a0:94:60:37:9b:e7:0a:5d:29:38:96:33:16:3d:be:dB:
36:9c:ef:AB:60:EE:b2:87:6f:53:2e:f8:EE:48:16:2a:60:71:
35:6d:65:23:69:e7:c2:59:05:92:e8:a7:c4:f6:35:2f:ae:4a:
EC:03:56:be:0e:61:83:79:7b:CD:7b:6d:2a:d2:c2:09:75:9f:
9a:0e:60:7f:c8:1a:ff:0b:9c:f3:3f:35:fa:a8:83:4a:ca:a1:
d0:4d:Fe:d5:f6:a3:e8:2f:b4:38:15:73:3e:f7:0d:49:2b:a6:
63:17:04:c8:6c:9d:51:3a:9d:19:9f:70:97:2b:06:97:34:3d:
5b:41
-----BEGIN CERTIFICATE-----
MIIDUTCCArqgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB6MQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBEaWVnbzEVMBMGA1UEChMMQ2FmZXNv
ZnQgTExDMRQwEgYDVQQDEwtDYWZlc29mdCBDQTEdMBsGCSqGSIb3DQEJARYOY2FA
Y2FmZW5ldC5jb20wHhcNMDUwODE4MTc0MTA3WhcNMDYwODE4MTc0MTA3WjBsMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAoTDENhZmVzb2Z0IExMQzEa
MBgGA1UEAxMRbGludXMuY2FmZW5ldC5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGNh
ZmVuZXQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkcvn9Yci7Qdaw
JzHcG1yFJMyeRcdR6YIKGg6m/II17ABdLtX3YdIinHDutXZ4J84maejsUQKDtd5q
TN5t+Tkzb/dAvJrQvoTz0C81FJIzVe1rk43zixFo6bJ6/laxLtB6ZZi20vFL6uz/
eyhENXoPnAyLB0okMwQy1Ok6UmhC9QIDAQABo4H0MIHxMAkGA1UdEwQCMAAwLAYJ
YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud
DgQWBBQKa3nnmF8wf6BnShKDnApYvotBKjCBlgYDVR0jBIGOMIGLoX6kfDB6MQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBEaWVnbzEVMBMG
A1UEChMMQ2FmZXNvZnQgTExDMRQwEgYDVQQDEwtDYWZlc29mdCBDQTEdMBsGCSqG
SIb3DQEJARYOY2FAY2FmZW5ldC5jb22CCQDNkwufWnHrizANBgkqhkiG9w0BAQQF
AAOBgQBJ+aCUYDeb5wpdKTiWMxY9vts2nO+rYO6yh29TLvjuSBYqYHE1bWUjaefC
WQWS6KfE9jUvrkrsA1a+DmGDeXvNe20q0sIJdZ+aDmB/yBr/C5zzPzX6qINKyqHQ
Tf7V9qPoL7Q4FXM+9w1JK6ZjFwTIbJ1ROp0Zn3CXKwaXND1bQQ==
-----END CERTIFICATE-----

Key values to look for are:

Configuring Apache 2.0 SSL

Before X.509 client certificate authentication can be performed, we’ll need to configure Apache 2.0 SSL. This involves installation of the web server X.509 certificate and key and installation of the certificate authority X.509 certificate.

Installing the Web Server and CA Certificates and Keys

Use the tar command to package up the web server certificate and key, plus the CA certificate:

% CD /usr/local/ssl/cafesoftCA
% tar cvf ./linus_certs.tar ./server/certificates/linus.cafenet.com.crt ./server/keys/linus.cafenet.com.key ./CA/cafesoftCA.crt

Copy the linus_certs.tar file to the web server host.

Create a subdirectory called certs under your Apache HTTPD_ROOT directory if one does not already exist and extract the contents of the linus_certs.tar file to it:

% CD /usr/local/apache2_ssl
% mkdir certs
% CD certs
% tar xvf /tmp/linus_certs.tar

Edit the ssl.conf file in your Apache conf directory, setting the following options:

ServerName linus.cafenet.com:443
SSLEngine on
SSLCertificateFile conf/certs/server/certificates/linus.cafenet.com.crt
SSLCertificateKeyFile conf/certs/server/keys/linus.cafenet.com.key
SSLCACertificateFile conf/certs/CA/cafesoftCA.crt

Verifying Apache 2 SSL Configuration

To start Apache with SSL, use the following commands:

% CD /usr/local/apache2_ssl/bin
% ./apachectl startssl

NOTE: When you start Apache, it will prompt you for the web server private key pass phrase. For now, you’ll need to enter it. Other options include stripping the pass phrase from the key and setting up a script that can provide Apache with the pass phrase on startup. The following article (on which this document is based), provides instructions for those options:

http://www.garex.net/apache/

Using your web browser, request URL:

https://linus.cafenet.com/cgi-bin/printenv

Since the web server certificate is signed by an unknown certificate authority (Cafesoft CA), your web browser will tell you the certificate is untrusted. Go ahead and accept the certificate for now. Later, when we install a client certificate, we’ll provide instructions for importing the Cafesoft CA root or top-level certificate into your browser so it will automatically trust the certificates that the Cafesoft CA has signed.

You should see information like the following in your web browser:

DOCUMENT_ROOT="/usr/local/apache2_ssl/htdocs"
GATEWAY_INTERFACE="CGI/1.1"
HTTPS="on"
HTTP_ACCEPT="*/*"
HTTP_ACCEPT_ENCODING="gzip, deflate"
HTTP_ACCEPT_LANGUAGE="en-us"
HTTP_CONNECTION="Keep-Alive"
HTTP_HOST="linus.cafenet.com"
HTTP_USER_AGENT="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50215)"
PATH="/usr/local/ssl/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin"
QUERY_STRING=""
REMOTE_ADDR="192.168.0.130"
REMOTE_PORT="4679"
REQUEST_METHOD="GET"
REQUEST_URI="/cgi-bin/printenv"
SCRIPT_FILENAME="/usr/local/apache2_ssl/cgi-bin/printenv"
SCRIPT_NAME="/cgi-bin/printenv"
SERVER_ADDR="192.168.0.109"
SERVER_ADMIN="norb@cafenet.com"
SERVER_NAME="linus.cafenet.com"
SERVER_PORT="443"
SERVER_PROTOCOL="HTTP/1.1"
SERVER_SIGNATURE="<address>Apache/2.0.52 (Unix) mod_ssl/2.0.52 OpenSSL/0.9.7a Server at linus.cafenet.com Port 443</address>\n"
SERVER_SOFTWARE="Apache/2.0.52 (UNIX) mod_ssl/2.0.52 OpenSSL/0.9.7a"
SSL_CIPHER="RC4-MD5"
SSL_CIPHER_ALGKEYSIZE="128"
SSL_CIPHER_EXPORT="false"
SSL_CIPHER_USEKEYSIZE="128"
SSL_CLIENT_CERT=""
SSL_CLIENT_VERIFY="NONE"
SSL_PROTOCOL="SSLv3"
SSL_SERVER_A_KEY="rsaEncryption"
SSL_SERVER_A_SIG="md5WithRSAEncryption"
SSL_SERVER_CERT="-----BEGIN CERTIFICATE-----\nMIIDUTCCArqgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB6MQswCQYDVQQGEwJVUzEL\nMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBEaWVnbzEVMBMGA1UEChMMQ2FmZXNv\nZnQgTExDMRQwEgYDVQQDEwtDYWZlc29mdCBDQTEdMBsGCSqGSIb3DQEJARYOY2FA\nY2FmZW5ldC5jb20wHhcNMDUwODE4MTc0MTA3WhcNMDYwODE4MTc0MTA3WjBsMQsw\nCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAoTDENhZmVzb2Z0IExMQzEa\nMBgGA1UEAxMRbGludXMuY2FmZW5ldC5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGNh\nZmVuZXQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkcvn9Yci7Qdaw\nJzHcG1yFJMyeRcdR6YIKGg6m/II17ABdLtX3YdIinHDutXZ4J84maejsUQKDtd5q\nTN5t+Tkzb/dAvJrQvoTz0C81FJIzVe1rk43zixFo6bJ6/laxLtB6ZZi20vFL6uz/\neyhENXoPnAyLB0okMwQy1Ok6UmhC9QIDAQABo4H0MIHxMAkGA1UdEwQCMAAwLAYJ\nYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud\nDgQWBBQKa3nnmF8wf6BnShKDnApYvotBKjCBlgYDVR0jBIGOMIGLoX6kfDB6MQsw\nCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBEaWVnbzEVMBMG\nA1UEChMMQ2FmZXNvZnQgTExDMRQwEgYDVQQDEwtDYWZlc29mdCBDQTEdMBsGCSqG\nSIb3DQEJARYOY2FAY2FmZW5ldC5jb22CCQDNkwufWnHrizANBgkqhkiG9w0BAQQF\nAAOBgQBJ+aCUYDeb5wpdKTiWMxY9vts2nO+rYO6yh29TLvjuSBYqYHE1bWUjaefC\nWQWS6KfE9jUvrkrsA1a+DmGDeXvNe20q0sIJdZ+aDmB/yBr/C5zzPzX6qINKyqHQ\nTf7V9qPoL7Q4FXM+9w1JK6ZjFwTIbJ1ROp0Zn3CXKwaXND1bQQ==\n-----END CERTIFICATE-----\n"
SSL_SERVER_I_DN="/C=US/ST=CA/L=San Diego/O=Cafesoft LLC/CN=Cafesoft CA/emailAddress=ca@cafenet.com"
SSL_SERVER_I_DN_C="US"
SSL_SERVER_I_DN_CN="Cafesoft CA"
SSL_SERVER_I_DN_Email="ca@cafenet.com"
SSL_SERVER_I_DN_L="San Diego"
SSL_SERVER_I_DN_O="Cafesoft LLC"
SSL_SERVER_I_DN_ST="CA"
SSL_SERVER_M_SERIAL="03"
SSL_SERVER_M_VERSION="3"
SSL_SERVER_S_DN="/C=US/ST=CA/O=Cafesoft LLC/CN=linus.cafenet.com/emailAddress=ca@cafenet.com"
SSL_SERVER_S_DN_C="US"
SSL_SERVER_S_DN_CN="linus.cafenet.com"
SSL_SERVER_S_DN_Email="ca@cafenet.com"
SSL_SERVER_S_DN_O="Cafesoft LLC"
SSL_SERVER_S_DN_ST="CA"
SSL_SERVER_V_END="Aug 18 17:41:07 2006 GMT"
SSL_SERVER_V_START="Aug 18 17:41:07 2005 GMT"
SSL_SESSION_ID="5BFCE837568BFDA50D034F1345D30F59EB000D950EBBEC2FE6FA43996A782EED"
SSL_VERSION_INTERFACE="mod_ssl/2.0.52"
SSL_VERSION_LIBRARY="OpenSSL/0.9.7a"
downgrade_1_0="1"
force_response_1_0="1"
nokeepalive="1"
ssl_unclean_shutdown="1"

Note the SSL cgi-bin environment variables, including a PEM representation of the web server certificate in SSL_SERVER_CERT. Also note that the value of SSL_CLIENT_CERT is empty because X.509 client authentication is not yet enabled.

Creating a Client Certificate

The procedure for creating a client certificate is similar to that for creating the web server certificate.

Creating a user key

The following instructions create a private key for a user named developers@cafenet.com. When prompted for the pass phrase, enter a password that you can remember.

% CD /usr/local/ssl/cafesoftCA
% openssl genrsa –des3 –out ./user/keys/developers@cafenet.com.key 1024
Generating RSA private key, 1024 bit long modulus

...++++++
.....++++++
e is 65537 (0x10001)
Enter pass phrase for ./user/keys/developers@cafenet.com.key:
Verifying - Enter pass phrase for ./user/keys/developers@cafenet.com.key:

Create the user certificate request

The following command creates a certificate request for a user with email address: developers@cafenet.com and common name Cafenet Developers. When prompted for the pass phrase for the keys in file ./user/keys/developers@cafenet.com.key, enter the pass phrase that you used to create the user key (e.g. “password”).

% openssl req –new –key ./user/keys/developers@cafenet.com.key –out ./user/requests/developers@cafenet.com.csr
Enter pass phrase for ./user/keys/developers@cafenet.com.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [San Diego]:
Organization Name (eg, company) [Cafesoft LLC]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Cafenet Developers
Email Address [ca@cafenet.com]:developers@cafenet.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Sign the user certificate request and create the certificate

% openssl ca -in ./user/requests/developers@cafenet.com.csr –cert ./CA/cafesoftCA.crt –keyfile ./CA/cafesoftCA.key –out ./user/certificates/developers@cafenet.com.crt
Using configuration from /usr/local/ssl/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature OK
Certificate Details:
Serial Number: 4 (0x4)
Validity
Not Before: Aug 18 19:44:00 2005 GMT
Not After : Aug 18 19:44:00 2006 GMT
Subject:
countryName = US
stateOrProvinceName = CA
organizationName = Cafesoft LLC
commonName = Cafenet Developers
emailAddress = developers@cafenet.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B2:D7:A2:E3:0F:41:FD:12:04:B0:2A:AF:47:72:C2:6B:67:66:39:A9
X509v3 Authority Key Identifier:
DirName:/C=US/ST=CA/L=San Diego/O=Cafesoft LLC/CN=Cafesoft CA/emailAddress=ca@cafenet.com
serial:CD:93:0B:9F:5A:71:EB:8B

Certificate is to be certified until Aug 18 19:44:00 2006 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Verifying the user certificate contents

To verify the user certificate contents, you can use the following command:

% openssl x509 –in ./user/certificates/developers@cafenet.com.crt –text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=CA, L=San Diego, O=Cafesoft LLC, CN=Cafesoft CA/emailAddress=ca@cafenet.com
Validity
Not Before: Aug 18 19:44:00 2005 GMT
Not After : Aug 18 19:44:00 2006 GMT
Subject: C=US, ST=CA, O=Cafesoft LLC, CN=Cafenet Developers/emailAddress=developers@cafenet.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:BA:6f:e8:a5:62:81:6f:08:68:cc:d5:73:CE:02:
BC:9f:43:8b:cf:f8:24:d4:04:f8:01:75:4e:63:7b:
7e:7c:7b:34:49:96:4d:CE:AA:6b:9f:65:4c:24:0c:
a9:75:fa:45:3b:18:a7:EE:41:54:34:60:09:FD:b1:
06:7f:9a:a1:Fe:4c:d8:2f:e4:08:de:5b:fa:a8:12:
AE:df:d5:f3:07:0e:43:79:91:AF:e3:84:0a:b3:CB:
d1:FD:03:2a:b2:1c:b8:bd:d8:d0:76:a7:5d:29:28:
46:d1:2e:6a:7a:e9:b2:1c:d1:03:82:b1:8e:66:29:
85:5d:dB:a1:68:BA:65:99:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B2:D7:A2:E3:0F:41:FD:12:04:B0:2A:AF:47:72:C2:6B:67:66:39:A9
X509v3 Authority Key Identifier:
DirName:/C=US/ST=CA/L=San Diego/O=Cafesoft LLC/CN=Cafesoft CA/emailAddress=ca@cafenet.com
serial:CD:93:0B:9F:5A:71:EB:8B

Signature Algorithm: md5WithRSAEncryption
46:4e:73:ca:4b:5c:ca:ea:2b:24:df:c9:97:b8:BA:ac:e7:d8:
7c:79:ca:BD:93:c3:ef:9d:ff:1a:e0:ad:dB:33:86:b6:CD:c6:
22:CD:14:3f:f7:FD:a9:12:09:2a:ef:b4:25:18:3a:8b:c2:d5:
5f:e6:68:c8:8d:df:14:05:59:a2:d2:b0:ff:91:AE:29:7d:28:
d2:43:25:d5:7f:4e:3c:43:d7:c5:08:a5:78:4a:f8:f2:90:5d:
9a:60:1a:3b:74:14:07:2e:b8:35:9a:c6:3e:41:b0:f5:7b:7c:
b7:de:BD:44:0b:02:2e:7f:b6:60:f3:b6:c9:0b:e8:81:0e:9d:
8b:14
-----BEGIN CERTIFICATE-----
MIIDWjCCAsOgAwIBAgIBBDANBgkqhkiG9w0BAQQFADB6MQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBEaWVnbzEVMBMGA1UEChMMQ2FmZXNv
ZnQgTExDMRQwEgYDVQQDEwtDYWZlc29mdCBDQTEdMBsGCSqGSIb3DQEJARYOY2FA
Y2FmZW5ldC5jb20wHhcNMDUwODE4MTk0NDAwWhcNMDYwODE4MTk0NDAwWjB1MQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAoTDENhZmVzb2Z0IExMQzEb
MBkGA1UEAxMSQ2FmZW5ldCBEZXZlbG9wZXJzMSUwIwYJKoZIhvcNAQkBFhZkZXZl
bG9wZXJzQGNhZmVuZXQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6
b+ilYoFvCGjM1XPOAryfQ4vP+CTUBPgBdU5je358ezRJlk3OqmufZUwkDKl1+kU7
GKfuQVQ0YAn9sQZ/mqH+TNgv5AjeW/qoEq7f1fMHDkN5ka/jhAqzy9H9AyqyHLi9
2NB2p10pKEbRLmp66bIc0QOCsY5mKYVd26FoumWZeQIDAQABo4H0MIHxMAkGA1Ud
EwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmlj
YXRlMB0GA1UdDgQWBBSy16LjD0H9EgSwKq9HcsJrZ2Y5qTCBlgYDVR0jBIGOMIGL
oX6kfDB6MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBE
aWVnbzEVMBMGA1UEChMMQ2FmZXNvZnQgTExDMRQwEgYDVQQDEwtDYWZlc29mdCBD
QTEdMBsGCSqGSIb3DQEJARYOY2FAY2FmZW5ldC5jb22CCQDNkwufWnHrizANBgkq
hkiG9w0BAQQFAAOBgQBGTnPKS1zK6isk38mXuLqs59h8ecq9k8Pvnf8a4K3bM4a2
zcYizRQ/9/2pEgkq77QlGDqLwtVf5mjIjd8UBVmi0rD/ka4pfSjSQyXVf048Q9fF
CKV4SvjykF2aYBo7dBQHLrg1msY+QbD1e3y33r1ECwIuf7Zg87bJC+iBDp2LFA==
-----END CERTIFICATE-----

Importing a Client Certificate into Web Browsers

Web browsers like Firefox and IE can’t use the certificates in the PEM format that is generated by OpenSSL and used by Apache. Consequently, we’ll need to export the user certificate to file formats that can be imported by web browsers.

Importing the client certificate in PKCS#12 format

Firefox and Internet Explorer 6.0 support the PKCS#12 certificate format. Use the following command to convert the user certificate to this format.

NOTE: During the conversion process, you’ll be asked for an export password. Enter anything you can remember, but don’t let it be empty because the file will contain your private key.

% openssl pkcs12 –export –clcerts –in ./user/certificates/developers@cafenet.com.crt –inkey ./user/keys/developers@cafenet.com.key –out ./user/certificates/developers@cafenet.com.p12

Copy the developers@cafenet.com.p12 file to a location where you can access it from your web browser via the file system.

Internet Explorer 6.0

To import a certificate, start IE and follow the instructions below:

  1. Navigate to the Tools menu and click Internet Options
  2. Click the Content tab
  3. Click the Certificates button
  4. Click the Import button
  5. Follow the wizard instructions to select the certificate file
  6. Enter the password you used to protect your certificate and private key
  7. Import client certificates into the Personal store and root certificates for the CA that signed the web server certificates into the Trusted Root Certification Authorities store
  8. Click the imported certificate and then on the View button in the Certificate intended purposes group box. Click the Details tab and then the Edit Properties button. Make sure that the Client Authentication option is checked.

For more detailed information, please see Microsoft Internet Explorer 6 Resource Kit, Chapter 6 - Digital Certificates.

FireFox 1.5

To import a certificate, start FireFox and follow the instructions below:

  1. Navigate to the Tools menu and click Options
  2. Click the Advanced icon
  3. Click the Security tab
  4. Click the View Certificates button
  5. Click the Import button and select the certificate file
  6. Enter your master password for the Software Security Device
  7. Enter the password you used to protect your certificate and private key

Importing the Cafesoft CA root certificate into web browsers

In order to establish a chain of trust the imported user certificate to the issuing certificate authority, you’ll need to import the Cafesoft CA certificate into your web browser. The easiest way to do this is to copy the cafesoftCA.crt certificate file to a directory where Apache can return it to a browser via an HTTP URL. For example, if you copy cafesoftCA.crt to the Apache 2 DocumentRoot (e.g. htdocs or /var/www/html), then you can simply enter the following URL into your web browser:

http://linus.cafenet.com/cafesoftCA.crt

Though the user interface for accepting the CA certificate varies, it is possible to import it for Firefox and IE 6.0 in this way.

Firefox 1.5

A dialog box appears and offers the choice of importing the CA certificate. Select the Trust this CA to identity web sites option, then click the OK button. You may also select the View button to see the certificate contents before accepting it.

Internet Explorer 6.0

A dialog box appears and asks Do you want to open or save this file?. Select the Open option, then click the Install Certificate… button when the certificate dialog appears.

Once you’ve successfully imported the Cafesoft CA you will be able to access URL:

https://linus.cafenet.com/cgi-bin/printenv

without being prompted to accept the linus.cafenet.com web server certificate. That is because importing web server certificate was issued by the Cafesoft CA and a chain of trust is not established by importing the CA certificate.

Configuring Apache to Require a Client Certificate

To force clients to provide a client certificate, edit Apache 2 file APACHE_HOME/conf/ssl.conf and set the following options:

SSLVerifyClient require
SSLVerifyDepth 2

Because the client certificate that we created was signed by Cafesoft CA and it is the root CA, it will contain a chain of only 2 certificates. After restarting the Apache 2 server and accessing the printenv cgi-bin script, you should see client certificate details as shown below:

DOCUMENT_ROOT="/usr/local/apache2_ssl/htdocs"
GATEWAY_INTERFACE="CGI/1.1"
HTTPS="on"
HTTP_ACCEPT="text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
HTTP_ACCEPT_CHARSET="ISO-8859-1,utf-8;q=0.7,*;q=0.7"
HTTP_ACCEPT_ENCODING="gzip,deflate"
HTTP_ACCEPT_LANGUAGE="en-us,en;q=0.5"
HTTP_CONNECTION="keep-alive"
HTTP_HOST="linus.cafenet.com"
HTTP_KEEP_ALIVE="300"
HTTP_USER_AGENT="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
PATH="/usr/local/ssl/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin"
QUERY_STRING=""
REMOTE_ADDR="192.168.0.130"
REMOTE_PORT="1094"
REQUEST_METHOD="GET"
REQUEST_URI="/cgi-bin/printenv"
SCRIPT_FILENAME="/usr/local/apache2_ssl/cgi-bin/printenv"
SCRIPT_NAME="/cgi-bin/printenv"
SERVER_ADDR="192.168.0.109"
SERVER_ADMIN="norb@cafenet.com"
SERVER_NAME="linus.cafenet.com"
SERVER_PORT="443"
SERVER_PROTOCOL="HTTP/1.1"
SERVER_SIGNATURE="<address>Apache/2.0.52 (UNIX) mod_ssl/2.0.52 OpenSSL/0.9.7a Server at linus.cafenet.com Port 443</address>\n"
SERVER_SOFTWARE="Apache/2.0.52 (UNIX) mod_ssl/2.0.52 OpenSSL/0.9.7a"
SSL_CIPHER="DHE-RSA-AES256-SHA"
SSL_CIPHER_ALGKEYSIZE="256"
SSL_CIPHER_EXPORT="false"
SSL_CIPHER_USEKEYSIZE="256"
SSL_CLIENT_A_KEY="rsaEncryption"
SSL_CLIENT_A_SIG="md5WithRSAEncryption"
SSL_CLIENT_CERT="-----BEGIN CERTIFICATE-----\nMIIDWjCCAsOgAwIBAgIBBDANBgkqhkiG9w0BAQQFADB6MQswCQYDVQQGEwJVUzEL\nMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBEaWVnbzEVMBMGA1UEChMMQ2FmZXNv\nZnQgTExDMRQwEgYDVQQDEwtDYWZlc29mdCBDQTEdMBsGCSqGSIb3DQEJARYOY2FA\nY2FmZW5ldC5jb20wHhcNMDUwODE4MTk0NDAwWhcNMDYwODE4MTk0NDAwWjB1MQsw\nCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAoTDENhZmVzb2Z0IExMQzEb\nMBkGA1UEAxMSQ2FmZW5ldCBEZXZlbG9wZXJzMSUwIwYJKoZIhvcNAQkBFhZkZXZl\nbG9wZXJzQGNhZmVuZXQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6\nb+ilYoFvCGjM1XPOAryfQ4vP+CTUBPgBdU5je358ezRJlk3OqmufZUwkDKl1+kU7\nGKfuQVQ0YAn9sQZ/mqH+TNgv5AjeW/qoEq7f1fMHDkN5ka/jhAqzy9H9AyqyHLi9\n2NB2p10pKEbRLmp66bIc0QOCsY5mKYVd26FoumWZeQIDAQABo4H0MIHxMAkGA1Ud\nEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmlj\nYXRlMB0GA1UdDgQWBBSy16LjD0H9EgSwKq9HcsJrZ2Y5qTCBlgYDVR0jBIGOMIGL\noX6kfDB6MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBE\naWVnbzEVMBMGA1UEChMMQ2FmZXNvZnQgTExDMRQwEgYDVQQDEwtDYWZlc29mdCBD\nQTEdMBsGCSqGSIb3DQEJARYOY2FAY2FmZW5ldC5jb22CCQDNkwufWnHrizANBgkq\nhkiG9w0BAQQFAAOBgQBGTnPKS1zK6isk38mXuLqs59h8ecq9k8Pvnf8a4K3bM4a2\nzcYizRQ/9/2pEgkq77QlGDqLwtVf5mjIjd8UBVmi0rD/ka4pfSjSQyXVf048Q9fF\nCKV4SvjykF2aYBo7dBQHLrg1msY+QbD1e3y33r1ECwIuf7Zg87bJC+iBDp2LFA==\n-----END CERTIFICATE-----\n"
SSL_CLIENT_I_DN="/C=US/ST=CA/L=San Diego/O=Cafesoft LLC/CN=Cafesoft CA/emailAddress=ca@cafenet.com"
SSL_CLIENT_I_DN_C="US"
SSL_CLIENT_I_DN_CN="Cafesoft CA"
SSL_CLIENT_I_DN_Email="ca@cafenet.com"
SSL_CLIENT_I_DN_L="San Diego"
SSL_CLIENT_I_DN_O="Cafesoft LLC"
SSL_CLIENT_I_DN_ST="CA"
SSL_CLIENT_M_SERIAL="04"
SSL_CLIENT_M_VERSION="3"
SSL_CLIENT_S_DN="/C=US/ST=CA/O=Cafesoft LLC/CN=Cafenet Developers/emailAddress=developers@cafenet.com"
SSL_CLIENT_S_DN_C="US"
SSL_CLIENT_S_DN_CN="Cafenet Developers"
SSL_CLIENT_S_DN_Email="developers@cafenet.com"
SSL_CLIENT_S_DN_O="Cafesoft LLC"
SSL_CLIENT_S_DN_ST="CA"
SSL_CLIENT_VERIFY="SUCCESS"
SSL_CLIENT_V_END="Aug 18 19:44:00 2006 GMT"
SSL_CLIENT_V_START="Aug 18 19:44:00 2005 GMT"
SSL_PROTOCOL="TLSv1"
SSL_SERVER_A_KEY="rsaEncryption"
SSL_SERVER_A_SIG="md5WithRSAEncryption"
SSL_SERVER_CERT="-----BEGIN CERTIFICATE-----\nMIIDUTCCArqgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB6MQswCQYDVQQGEwJVUzEL\nMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBEaWVnbzEVMBMGA1UEChMMQ2FmZXNv\nZnQgTExDMRQwEgYDVQQDEwtDYWZlc29mdCBDQTEdMBsGCSqGSIb3DQEJARYOY2FA\nY2FmZW5ldC5jb20wHhcNMDUwODE4MTc0MTA3WhcNMDYwODE4MTc0MTA3WjBsMQsw\nCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAoTDENhZmVzb2Z0IExMQzEa\nMBgGA1UEAxMRbGludXMuY2FmZW5ldC5jb20xHTAbBgkqhkiG9w0BCQEWDmNhQGNh\nZmVuZXQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkcvn9Yci7Qdaw\nJzHcG1yFJMyeRcdR6YIKGg6m/II17ABdLtX3YdIinHDutXZ4J84maejsUQKDtd5q\nTN5t+Tkzb/dAvJrQvoTz0C81FJIzVe1rk43zixFo6bJ6/laxLtB6ZZi20vFL6uz/\neyhENXoPnAyLB0okMwQy1Ok6UmhC9QIDAQABo4H0MIHxMAkGA1UdEwQCMAAwLAYJ\nYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud\nDgQWBBQKa3nnmF8wf6BnShKDnApYvotBKjCBlgYDVR0jBIGOMIGLoX6kfDB6MQsw\nCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBEaWVnbzEVMBMG\nA1UEChMMQ2FmZXNvZnQgTExDMRQwEgYDVQQDEwtDYWZlc29mdCBDQTEdMBsGCSqG\nSIb3DQEJARYOY2FAY2FmZW5ldC5jb22CCQDNkwufWnHrizANBgkqhkiG9w0BAQQF\nAAOBgQBJ+aCUYDeb5wpdKTiWMxY9vts2nO+rYO6yh29TLvjuSBYqYHE1bWUjaefC\nWQWS6KfE9jUvrkrsA1a+DmGDeXvNe20q0sIJdZ+aDmB/yBr/C5zzPzX6qINKyqHQ\nTf7V9qPoL7Q4FXM+9w1JK6ZjFwTIbJ1ROp0Zn3CXKwaXND1bQQ==\n-----END CERTIFICATE-----\n"
SSL_SERVER_I_DN="/C=US/ST=CA/L=San Diego/O=Cafesoft LLC/CN=Cafesoft CA/emailAddress=ca@cafenet.com"
SSL_SERVER_I_DN_C="US"
SSL_SERVER_I_DN_CN="Cafesoft CA"
SSL_SERVER_I_DN_Email="ca@cafenet.com"
SSL_SERVER_I_DN_L="San Diego"
SSL_SERVER_I_DN_O="Cafesoft LLC"
SSL_SERVER_I_DN_ST="CA"
SSL_SERVER_M_SERIAL="03"
SSL_SERVER_M_VERSION="3"
SSL_SERVER_S_DN="/C=US/ST=CA/O=Cafesoft LLC/CN=linus.cafenet.com/emailAddress=ca@cafenet.com"
SSL_SERVER_S_DN_C="US"
SSL_SERVER_S_DN_CN="linus.cafenet.com"
SSL_SERVER_S_DN_Email="ca@cafenet.com"
SSL_SERVER_S_DN_O="Cafesoft LLC"
SSL_SERVER_S_DN_ST="CA"
SSL_SERVER_V_END="Aug 18 17:41:07 2006 GMT"
SSL_SERVER_V_START="Aug 18 17:41:07 2005 GMT"
SSL_SESSION_ID="2977B5F46F54EDEDCBC33FC0645B23DBBA59BFB9C06AB2ACE7ABFB497C2B6953"
SSL_VERSION_INTERFACE="mod_ssl/2.0.52"
SSL_VERSION_LIBRARY="OpenSSL/0.9.7a"

Configuring Apache 2 client directory-level access control

A directory directive like the following can be used on any of the SSL_CLIENT fields to perform access control based on client certificate fields:

<Directory "/usr/local/apache2_ssl/htdocs/cafenet_developers">
<IfDefine SSL>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "Cafenet Developers"
</IfDefine>
</Directory>

This directive can be added anywhere after the ServerName directive. Arbitrarily complex expressions using and, or and in operators can be created. See the Apache documentation for more details.

Configuring Apache 2 with a Certificate Revocation List (CRL)

Before a CRL can be generated, you’ll need to revoke a client certificate. The OpenSSL index that keeps track of issued certificates also keeps track of those that have been revoked. When it’s time to create a CRL, OpenSSL searches for all revoked certificates in its index and generate a single file that lists their serial numbers.

Revoking a certificate

Use the following command to revoke the developers@cafenet.com.crt user certificate.

% CD /usr/local/ssl/cafesoftCA
% openssl ca –revoke ./user/certificates/developers@cafenet.com.crt
Using configuration from /usr/local/ssl/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Revoking Certificate 04.
Data Base Updated

Generating the CRL

To generate the CRL, simply use the following command:

% openssl ca –gencrl –out ./CA/cafesoftCA.crl
Using configuration from /usr/local/ssl/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"

The contents of the CRL file will look something like this:

-----BEGIN X509 CRL-----
MIIBaTCB0zANBgkqhkiG9w0BAQQFADB6MQswCQYDVQQGEwJVUzELMAkGA1UECBMC
Q0ExEjAQBgNVBAcTCVNhbiBEaWVnbzEVMBMGA1UEChMMQ2FmZXNvZnQgTExDMRQw
EgYDVQQDEwtDYWZlc29mdCBDQTEdMBsGCSqGSIb3DQEJARYOY2FAY2FmZW5ldC5j
b20XDTA1MDgxOTAwNDk0OFoXDTA1MDkxODAwNDk0OFowKDASAgECFw0wNTA4MTYy
MzUwMTdaMBICAQQXDTA1MDgxOTAwNDczM1owDQYJKoZIhvcNAQEEBQADgYEAViMV
WA68bxuxCFgQXy0z9jYRFq7YGFRK7OZ6/olM3NVcJCM7uJQwu2O8tduJ+4aan4gJ
WiZr79TN3WKWv+SWqoZx5xVwLiAdpajX4CnpOkhAOmwkPaLVPKG29/BLn42MjLmf
pi569FOs/jpfJpiMiuU70TMiALy5t8dcbT2kbf8=
-----END X509 CRL-----

Installing the CRL in Apache 2

Copy the cafesoftCA.crl file to the following location under your Apache 2 installation:

APACHE_HOME/conf/certs/CA/cafesoft.crl

Edit configuration file APACHE_HOME/conf/ssl.conf and set the following value:

SSLCARevocationFile conf/certs/CA/cafesoftCA.crl

After restarting the Apache 2 server you should be told that your certificate has been revoked when attempting to access an HTTPS URL with the client certificate that was revoked.

Back | Next | Contents

© Copyright 1996-2009 Cafésoft LLC. All rights reserved.