Objective :
You want to authenticate users with client ssl certificates instead of traditional password form (weakness) ?! This post will show you how to do that with OpenSSL and Apache/IIS.
Requirement :
- Understanding off ssl Private | Public Key infrastructure.
- Let's suppose that we will use 3 separate servers :
Functions of each server :
- CA Server : This server will act as a CA provider, it uses openssl-tools to create, sign, ... certificates for the two web servers and clients.
- Apache Server : This server will serve https service by apache (httpd).
- IIS Server : This server will serve https service by windows IIS.
- Create self signed rootCA Certificate for CA Server.
- Create Certificate Request for the Apache and IIS Server.
- Sign the Request by RootCA.
- Config the server Apache and IIS with signed Cert.
- Connect from the Client.
Steps in detail :
1. Create self-signed rootCA Certificate for the CAserver.
Check if the CAserver has installed openSSL package.
CAServer# rpm -qa | grep openssl
openssl-1.0.0j-1.fc17.x86_64
if not, you can install it by yum command.
CAServer# yum install openssl
Generate the PrivateKey for rootCA.
CAServer# openssl genrsa -out rootCA.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
.......++++++
e is 65537 (0x10001)
Generate the self-signed-rootCA-Certificate with the upper privatekey. This cert will valid for 10 years (3650 days).
CAServer# openssl req -out rootCA.cert -key rootCA.key -new -x509 -days 3650
You are about to be asked to enter information that will be incorporated
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:rootCA
Email Address []:
Let's check the information of the rootCA Cert.
CAServer# openssl x509 -subject -issuer -email -noout -in rootCA.cert
subject= /C=XX/L=Default City/O=Default Company Ltd/CN=rootCA
subject= /C=XX/L=Default City/O=Default Company Ltd/CN=rootCA
issuer= /C=XX/L=Default City/O=Default Company Ltd/CN=rootCA
The issuer and subject entry are identical.
So we've got two needed files for CAServer.
rootCA.cert: PEM certificate
rootCA.key: PEM RSA private key
2. Create Certificate Request for the Apache and IIS Server.
2.1 For Apache server :
Generate PrivateKey for the Apache Server.
ApacheServer# openssl genrsa -out Apache.key 1024
Generating RSA private key, 1024 bit long modulus
..............++++++
..++++++
e is 65537 (0x10001)
Generate the Certificate-Request-file for the Apache Server with the upper privatekey.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:Apache Server
Organizational Unit Name (eg, section) []:Apache Server
Common Name (eg, your name or your server's hostname) []:apache.linuxbyexamples.net
Email Address []:
See the information of the Apache Request file.
ApacheServer# openssl req -subject -noout -in Apache.req
subject=/C=XX/L=Default City/O=Apache Server/OU=Apache Server/CN=apache.linuxbyexamples.net
So we've got two needed files for ApacheServer.
ApacheServer# file Apache.*
Apache.req: PEM certificate request
Apache.key: PEM RSA private key
2.2 For IIS server :
We will use the environment of openssl tools on ApacheServer to create required file for IIS Server. You can also install openssl for windows on IIS server insteads.
Generate PrivateKey for the IIS Server.
ApacheServer# openssl genrsa -out IIS.key 1024
Generating RSA private key, 1024 bit long modulus
Generate the Certificate Request file for the IIS Server with the upper privatekey.Generate PrivateKey for the IIS Server.
ApacheServer# openssl genrsa -out IIS.key 1024
Generating RSA private key, 1024 bit long modulus
..........................................................++++++
.....................++++++
e is 65537 (0x10001)
ApacheServer# openssl req -out IIS.req -key IIS.key -new -days 365
You are about to be asked to enter information that will be incorporated
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:IIS Server
Organizational Unit Name (eg, section) []:IIS Server
Common Name (eg, your name or your server's hostname) []:iis.linuxbyexamples.net
Email Address []:
See the information of the IIS Request file.
subject=/C=XX/L=Default City/O=IIS Server/OU=IIS Server/CN=iis.linuxbyexamples.net
So we've got two needed files for IIS Server.ApacheServer# file IIS.*