Pages

Sunday, July 31, 2016

How to configure two way SSL in apache web server ?

How to configure two way SSL in apache web server ?


How to create multiple client certificate ?


How to use SSL certificate for authorization and 

authentication ?








Main Tasks


1. Create certificates

2. Setup Apache webserver for SSL

3. Create script for SSL

4. Import client cert to firefox browser & Run 

from browser






1. Create certificates


1.1 create openssl.cnf ( easy to pass parameters)



    vi openssl.cnf

[ req ]
default_md = sha1
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName = India
countryName_default = IN
countryName_min = 2
countryName_max = 2
localityName = Locality
localityName_default = Bangalore
organizationName = COMPANY
organizationName_default = COMPANY.COM
commonName = Common Name
commonName_max = 64

[ certauth ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
crlDistributionPoints = @crl

[ server ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server
crlDistributionPoints = @crl

[ client ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
nsCertType = client
crlDistributionPoints = @crl

[ crl ]
URI=http://master.company.com/ca.crl


1.2 create Self-Signed Certificate


    openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer


ca.cer will be created . Need use this for step 2.2


1.3 Creating cert for server
    openssl genrsa -out server.key 2048
    openssl req -config ./openssl.cnf -new -key server.key -out server.req
    openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extfile openssl.cnf -extensions server -days 3650 -outform PEM -out server.cer


this will create server.cer ,server.key


Need these two for step 2.2


1.4 Create client certificate using script . This can be usefull to create multiple client certificates .

    vi creatcleint.sh


mkdir $1
cd $1
cp ../ca.cer .
cp ../ca.key .
cp ../openssl.cnf .
openssl genrsa -out client.key 2048
openssl req -config ./openssl.cnf -new -key client.key -out client.req
openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 3650 -outform PEM -out client.cer
openssl pkcs12 -export -inkey client.key -in client.cer -out $1.p12
openssl verify -CAfile ca.cer client.cer
rm -f ca.cer ca.key client.key client.req client.cer


1.5 run the script with parameter as client user

    ./creatcleint.sh sachin


SnapShot


Generating RSA private key, 2048 bit long modulus
.........................................................+++
...+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
INDIA [IN]:
Locality [Bangalore]:
Organization [COMPANY.COM]:
CommanName []:sachin
Signature ok
subject=/C=IN/L=Bangalore/O=COMPANY.COM/CN=sachin
Getting CA Private Key
Enter Export Password:
Verifying - Enter Export Password:
client.cer: OK

This will create .p12 file like username.p12

This is need only for two way SSL

This should be used in step 4.1


2. Setup Apache webserver for SSL


Follow this blog for basic setup .


2.1 . Install mod_ssl module

    yum install mod_ssl
2.2 Edit /etc/httpd/conf.d/ssl.conf

    vi /etc/httpd/conf.d/ssl.conf


Edit : Example
SSLCertificateFile /var/www/ssl/server.cer
SSLCertificateKeyFile /var/www/ssl/server.key
SSLCACertificateFile /var/www/ssl/ca.cer


## below entry only for two way SSL
SSLVerifyClient require
SSLVerifyDepth 10


2.3 Disable port 80 ( non SSL ) or create redirection to SSL

SSL port is 443

    vi /etc/httpd/conf/httpd.conf


Comment :
#Listen 80




OR : Update like this for http to https redirection .

<VirtualHost *:80>
ServerName master.company.com
Redirect "/" "https://master.company.com/"
</VirtualHost>


3. Create script for SSL




3.1
    vi ssluser.cgi


#!/bin/bash
echo "Content-type: text/html"
echo ""
echo "<html><head><title>SERVER STATUS "
echo "</title></head><body>"


USER=`env | grep SSL_CLIENT_S_DN_CN | cut -f2 -d"=" `


echo "<pre>"


echo "USER is $USER"


echo " </pre>"


echo "</body></html>"










SSL_CLIENT_S_DN_CN will provide CN from certificate


4 . Import client cert to firefox browser & Run from browser




4.1 Import p12 file to firefox


4.1.1 Go to Firefox, Option








4.1.2 Click on Advanced->View Certificates






    4.1.3 Click on Import to import the downloaded 


    certificate



























    4.1.4 Browser through the certificate and enter the 

    password ,


Provide on step 1.5






    After Import click OK on successful message










    4.2 Run the URL





























4.2.1 Add exception




















































4.3 Output











Since this is self signed certificate , firefox will show security exception .


Here user is autheniticated based on SSL certificate . You can add login in script for authorazation


In chrome



1. Go to chrome://settings/certificates  ( put in chrome address bar )

2. Import p12 certificate

3. Access the URL and  , add  web site in security exception








Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)