“A good solution applied with vigor now is better than a perfect solution applied ten minutes later.”
- General George Smith Patton III (source)
Most readers are probably familiar with X.509 certificates as used with TLS/SSL to secure websites with strong encryption. For commercial websites, this usually means presenting a digital certificate which has been verified and signed by a certificate authority , once the secure connection is established, user credentials are passed, e.g. username/password; however, X.509 certificates may also be used on the client side to supplement or even eliminate the need for users to enter passwords.
Intranets and temporary web applications are two examples wherein developers may choose to forgo the use of a widely accepted certificate authority in favor of a self-signed certificate. Naturally, this is a compromise which may or not impinge overall security depending on factors which will not be considered here.Strictly considered, this text has little information on security at all, rather, it is simply outlines an expedient way to set up X.509 client certificate authentication.
1. The Server Certificate
The following command will generate a self-signed web certificate and unencrypted key (no password required).
openssl req -new -x509 -nodes -out server.crt -keyout server.key -days 1825 \
-subj "/C=US/ST=NY/O=Example Inc/CN=example.com/emailAddressfirstname.lastname@example.org/"
2. Configuring Apache
This example illustrates enabling SSL in the apache config, note that because this is a self signed certificate, the same file is used for the Certificate and CA Certificate. The <Location> directive specifies where client certificates will be required; visit the Apache site for additional relevant directives.
3. Client Certificates
The server certificate is used to generate a client certificate using the PKCS#12 standard
openssl pkcs12 -export -out example.pfx -in example.crt -inkey example.key \
-name "Example Client Certificate"
If a password was entered during the previous command, users will need to enter the same password when installing the certificate. Firefox users can import example.pfx by navigating through:
Prefs ⇨ Encryption ⇨ View Certs ⇨ Your Certs ⇨ Import
Upon visiting https://example.com/clients users will be prompted to present the client certificate.