• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2506
  • Last Modified:

Apache & Mod_SSL Client Certificate Authentication

Dear Experts,

I have asked a similar question to this subject before and seemed to get answers that just quite simply contained the question I had asked.  

So what I am looking for is a comprehensive answer to this problem because we have tried going over and over this numerous times, using various forums and searches on google.  Even the actual mod_ssl seems very basic at explaining the product itself.  

What we want to do is for visitors to visit a certain domain on our server i.e portal.domain.com or simply (192.0.0.1) and be asked for 2 main credentials:

Username and Password via .htaccess or php db_sessions
Client Certificate Credentials on their PC's Browser

If they can't provide the right credentials and don't posses the certificate in the browser then no access can be given.

I have access to our server via SSH/Putty, we use WebHostManager (WHM) and I understand Linux commands reasonably well.  I just need some guidance of what to do.

I understand that we need to do these steps:

Create a CA
Setup the web server certificate
Install the CA Certificate on the web server
Adjust http.conf to request a certificate on access to that area
Install the certificate on the client browser

I hope this is right.

I can almost do the first 3 alright without problem as this can be done through WHM if needed.  Trying to get the apache for that domain to request a certificate of even get the certificate to the users browser is confusing me and I am completely lost.

It would be good to hear from someone who has completed this from end to end.  In this situation I would prefer that I get answers from those who are certain of how to do it.  I don't mean to be rude in anyway, its just I have had contributions before that have been very little or even no help and this is quite urgent.

Hope to get a solution soon

Thanks

Mark






0
mdmarkbowman
Asked:
mdmarkbowman
  • 6
  • 4
1 Solution
 
ahoffmannCommented:
> Client Certificate Credentials on their PC's Browser
and
> Create a CA
> Setup the web server certificate
> Install the CA Certificate on the web server
> Adjust http.conf to request a certificate on access to that area
> Install the certificate on the client browser

sounds like you're mixing client side certs with the server cert, these 2 are different
The server cert is used for SSL connections, usually, it identifies the server and the client can then use the public key to encrypt the data on the connection (SSL/TLS and https).
While the client side cert identifies the client where the server needs to know the public key of the client. You need some kind of PKI for that.

Do you just want to have SSL conections, or do you realy mean to setup your server for client site certs?
0
 
mdmarkbowmanAuthor Commented:
Thanks for taking time to respond. Yes Client Certs are what I am looking for.

Let me give you an example:

I log onto my Business Internet Banking at www.mybank.co.uk/business.

I click a link that says "logon" and this takes me to a page where I add my credentials to a form.

Clicking submit the server then runs the code and checks for my username to be correct, my password to match the records.

After this my browser then pops up a window that tells me the server requires me to identify myself (via certificate) and I click yes continue and the certificate is checked and access to the banking service is allowed.  

The certificate was downloaded when I activated my Internet Banking and I assume that the certificate contains information about my details/profile so I can also be identified.  Its not just a generic certificate.

Does this help?

Thanks again

Mark
0
 
ahoffmannCommented:
> The certificate was downloaded when I activated ..
hmm, strange kind of certificate distrtibution
this way everyone can get a cert for everyone else, how can you proof that nobody else has the same cert as you?
I'd not trust such certs :-(

This is not how certs work!
A client cert needs to be generated on the client, or if its genereated somewhere else you need to transmit it in a secure manner.
That's why I mentioned a PKI first. And PKIs is what most companies (in particular banks) won't do 'cause it is expensive.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
ahoffmannCommented:
> The certificate was downloaded when I activated ..
hmm, strange kind of certificate distrtibution
this way everyone can get a cert for everyone else, how can you proof that nobody else has the same cert as you?
I'd not trust such certs :-(

This is not how certs work!
A client cert needs to be generated on the client, or if its genereated somewhere else you need to transmit it in a secure manner.
That's why I mentioned a PKI first. And PKIs is what most companies (in particular banks) won't do 'cause it is expensive.
0
 
mdmarkbowmanAuthor Commented:
Sorry maybe not clear enough.  I find it really confusing.

After registering (paper based) with my bank I was then given instructions to access an area of the banks site to activate the service.  Now the bank obviously then prepare a certificate (and this is what I want to know - how this is done) that I can download (on first activation only) and install to my browser.  

If I try to access the Internet banking area on another PC i cannot get access even with the correct username and password.  If my collegue tries to access his banking on my PC (with the certificate installed on) it will not allow him access because obviously even though there is a certificate on the machine for the server it is not for the user with that name and password.  

You have confused me greatly saying that the client cert needs to be generated by the client???  If you have 1000,000 internet banking users, what is the likelyhood of them being able to generate a client certificate.  Surely the certificate is distributed to the clients by the bank as they are allowing the user access to their system.      

I surely would not have to generate the client certificate to access the banks servers??? Would I?  I certainly did not do this!
0
 
cybertopiaCommented:
----------------
Create a CA
Setup the web server certificate
Install the CA Certificate on the web server
Adjust http.conf to request a certificate on access to that area
Install the certificate on the client browser
----------------

So, you're using WHM. This makes it easier to build the CA.
In that case you can certainly generate a CSR (WHM > Generate a SSL Certificate and Signing Request) and then install it in WHM > Change cPanel/WHM Certificate.

Making a self-signed one?

1. Click on the "Install an SSL Certificate and Setup the Domain link" in the SSL/TLS menu.

2. Enter the domain that the certificate is issued for, the user name for the users account, and Dedicated IP address assigned for the certificate in the Domain, User, and IP Address fields.

3. Click on the "Fetch" button to paste the .key and the existing .crt files for the domain into the available display spaces, if they are currently on your server. Otherwise, copy and paste the .key and .crt files into the available display areas.

The .crt file is the info that starts with -----BEGIN CERTIFICATE-----
The .key file is the second file that was emailed to you from the server and is knows as the RSA file it starts with -----BEGIN RSA PRIVATE KEY-----
Note: If you generated the certificate using WebHost Manager, the RSA key files will be available on the server.

4. Replace the existing .crt file if it was successfully retrieved on the server with certificate info

5.Click on the "Do it" button to install the new certificate.
0
 
ahoffmannCommented:
>  Surely the certificate is distributed to the clients by the bank ..
ok, that's what I meant with "how can you proof that nobody else" and "if its genereated somewhere else you need to transmit it in a secure". So if you can trust your bank and the connection (SSL), then that's fine. Anyway I'd ask who has access to the cert after you got it 'cause they generate it on their site.

Does cybertopia's suggestion do what you need? Then the grading seems to be wrong.
0
 
mdmarkbowmanAuthor Commented:
No - none of the answers hit the spot, and cybertopia just told me to do what we have done several times with securing our retailer site with Thawte Certificates.  I think maybe because I did not understand the area of this subject that I asked question in the wrong manner maybe.  I felt that my explanation and example were good enough to ensure an expert could see my point.  

I wasn't asking the question wether I could trust the bank or their connection, what I fundamentally asked was the question of what I now know as PKI, of which i picked up from your posts and then searched on google.  I did not find out exactly what I needed from you and have searched the web and other areas.  Your post merely gave me a clue and I thank you for that.  You threw the element of trust in there when all I really needed at this stage was to know how to do it.  That question could have come in another question.  

I now understand that we would have to set up our own CA, which we know we can do with OpenSSL and a piece of software called TinyCA.  We can issue, renew and revoke client certificates using this if we want.  But i had to look elsewhere for the answers and researched it myself, and made a couple of phone calls.    

In response to the comment about trusting the bank.  The client cert is issued by them, so they have obviously set up their own CA and issue their own Client Certificates, BUT their own (SSL Server) i.e. clicking the gold padlock is still signed by Verisign inc, even though the Client Cert is not.  

Didn't I give the points to you or did I by mistake give them to someone else.  
0
 
ahoffmannCommented:
asing for the grading was 'cause I got the feeling that another comment does give you what you wanted, which wasn't the case as you explained. Thanks.

BTW, about your own CA you probably might have a look at http://www.openca.org/openca/
0
 
mdmarkbowmanAuthor Commented:
Now for sending me this link, I would have saved a couple of hours yesterday.  Brilliant!!!

Just what I was trying to find.  Could not for the life of me find anything on Google or other SE's that came up with this.  

If I could regrade you I would.  

You have pointed me in the right direction i.e. PKI,

and now sent me this.  

I do feel rather guilty and should not have accepted the answer so quickly.

Thanks very much..

Mark
0
 
ahoffmannCommented:
so you got what you want/need, that's fine and what EE is for. Feel guilty (and enjoy;-)
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now