Wednesday, May 19, 2010

3 Easy Steps to SSL Client Authentication

There are many resources on the Internet for correctly securing apache web sites with X.509 client certificate authentication. This isn't one of them. What follows is a three step guide to the fastest, easiest method for setting up self-signed server and client certificates. You are advised not to run any of the commands below in a production environment, they are presented only as an aid for those who learn kinesthetically.
A good solution applied with vigor now is better than a perfect solution applied ten minutes later.
- General George Smith Patton III (source)


Most readers are probably familiar with X.509 certificates as used with TLS/SSL to secure websites with strong encryption. For commercial websites, this usually means presenting a digital certificate which has been verified and signed by a certificate authority , once the secure connection is established, user credentials are passed, e.g. username/password; however, X.509 certificates may also be used on the client side to supplement or even eliminate the need for users to enter passwords.

Intranets and temporary web applications are two examples wherein developers may choose to forgo the use of a widely accepted certificate authority in favor of a self-signed certificate. Naturally, this is a compromise which may or not impinge overall security depending on factors which will not be considered here.Strictly considered, this text has little information on security at all, rather, it is simply outlines an expedient way to set up X.509 client certificate authentication.

1. The Server Certificate


The following command will generate a self-signed web certificate and unencrypted key (no password required).
openssl req -new -x509 -nodes -out server.crt -keyout server.key -days 1825 \
-subj "/C=US/ST=NY/O=Example Inc/CN=example.com/emailAddress=info@example.com/"

2. Configuring Apache


This example illustrates enabling SSL in the apache config, note that because this is a self signed certificate, the same file is used for the Certificate and CA Certificate. The <Location> directive specifies where client certificates will be required; visit the Apache site for additional relevant directives.
  DocumentRoot /var/www/example.com
  ServerName example.com
  ServerAlias *.example.com

SSLEngine on
  SSLCertificateFile conf/ssl/example.crt
  SSLCertificateKeyFile conf/ssl/example.key
  SSLCACertificateFile conf/ssl/example.crt

  SSLRequireSSL
  SSLVerifyClient require
  SSLVerifyDepth 10

3. Client Certificates


The server certificate is used to generate a client certificate using the PKCS#12 standard
openssl pkcs12 -export -out example.pfx -in example.crt -inkey example.key \
-name "Example Client Certificate"

If a password was entered during the previous command, users will need to enter the same password when installing the certificate. Firefox users can import example.pfx by navigating through:

Prefs ⇨ Encryption ⇨ View Certs ⇨ Your Certs ⇨ Import


Upon visiting https://example.com/clients users will be prompted to present the client certificate.