How to do client certificate authentication with Apache

apache authentication ssl certificate
37,504

Solution 1

You'll find instructions on how to create a CA cert and certs signed by this CA cert here: http://pages.cs.wisc.edu/~zmiller/ca-howto/

Things go like this:

  • you setup your root CA key and cert
  • client generates his private key and certificate request
  • they send you the certificate request
  • you generate the certificate using the certificate request, your root CA cert and root CA key
  • you return the certificate to the client

You can then check that the client presents a certificate which is "signed" by the CA.

Solution 2

It is important to understand SSLVerifyClient and the other directives. From Practical Issues with TLS Client Certificate Authentication (page 3):

The default value none of SSLVerifyClient does not require CCA; therefore the server will not include a CertificateRequest message in the TLS handshake.

The value require will require CCA, and thus the CertificateRequest message will be included in the handshake. If the client does not provide any certificate in the client’s Certificate message or mod_ssl fails to verify the certificate provided, the TLS handshake will be aborted and a fatal TLS alert message will be sent to the client.

The value optional is the same as require, but an empty client’s Certificate message will be tolerated.

The last possible value optional_no_ca is the same as optional, but in addition it allows a client’s certificate to be submitted that does not chain up to the CA trusted by the server (because of a bug in OpenSSL [6] not yet valid or expired non-self-signed client certificates will also be accepted).

The value optional_no_ca can be used to perform certificate verification at an application level or to implement PKI-less public-key authentication that uses X.509 certificates as a public-key transport.

Share:
37,504
user3354832
Author by

user3354832

Updated on July 22, 2022

Comments

  • user3354832
    user3354832 almost 2 years

    The question is very clear but I did not find any useful tutorial online. So I wish I could have some luck here.

    Basically, I want to build a client certificate authentication with Apache. I configured the conf file for Apache for the site I am hosting. The conf I put is here:

    SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/apache2/ssl/client.crt

    However I have no idea how to generate the certificate and key file for the client. And also, what file should I put on the SSLCACertificateFile in the Apache server configurations?

    Does the server simply compare the certificate file sent from client with the certificate file on the server? What exactly the client certificate authentication is doing ?

  • user3354832
    user3354832 almost 10 years
    That makes so much sense Thank you! Also what is the key used for during the verification process?
  • user3354832
    user3354832 almost 10 years
    So does the client certificate totally independent of the server certificate?
  • jcaron
    jcaron almost 10 years
    From the server certificate (the one you use in most https situations), yes. It is linked only to the root CA certificate.
  • jcaron
    jcaron almost 10 years
    @user3354832, of course, you could also use client certificates that are generated by someone else you trust rather than your own CA.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache 2.4.37 with openssl 1.1.1: cannot perform post-handshake authentication
How to configure multiple SSL certs on Apache virtual host with aliases?
why do I need a certificate to establish a secure gRPC connection as a client?
How to specify multiple root certificates for nginx client certificate verification?
Apache httpd: How to trust specific client certificates?
how to export private key from Godaddy certificate and use with Apache SSL
How to force Apache 2.2 to send the full certificate chain?
.NET Mutual SSL handshake 'Client Authentication'
iPhone: HTTPS client cert authentication
HTTPS giving 404 not found error