13 August 2012

Authenticate users with client certificates on Apache and IIS

Objective :

You want to authenticate users with client ssl certificates instead of traditional password form (weakness) ?! This post will show you how to do that with OpenSSL and Apache/IIS.



Requirement :

  • Understanding off ssl Private | Public Key infrastructure.
  • Let's suppose that we will use 3 separate servers :

Functions of each server :

  • CA Server : This server will act as a CA provider, it uses openssl-tools to create, sign, ... certificates for the two web servers and clients. 
  • Apache Server : This server will serve https service by apache (httpd). 
  • IIS Server : This server will serve https service by windows IIS.

Alternative software :

This post is based on Linux system and did use openssl package for deploying.

If you are not familiar with Linux stuff, you can download openssl edition for Windows, it will work as the same on Linux.

Primary steps :

  1. Create self signed rootCA Certificate for CA Server.
  2. Create Certificate Request for the Apache and IIS Server.
  3. Sign the Request by RootCA.
  4. Config the server Apache and IIS with signed Cert.
  5. Connect from the Client.

Steps in detail :

1. Create self-signed rootCA Certificate for the CAserver.

Check if the CAserver has installed openSSL package.

CAServer# rpm -qa | grep openssl

openssl-1.0.0j-1.fc17.x86_64

if not, you can install it by yum command.

CAServer# yum install openssl

Generate the PrivateKey for rootCA.

CAServer# openssl genrsa -out rootCA.key 1024

Generating RSA private key, 1024 bit long modulus
..........++++++
.......++++++
e is 65537 (0x10001)

Generate the self-signed-rootCA-Certificate with the upper privatekey. This cert will valid for 10 years (3650 days).

CAServer# openssl req -out rootCA.cert -key rootCA.key -new -x509 -days 3650

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:rootCA
Email Address []:

Let's check the information of the rootCA Cert.

CAServer# openssl x509 -subject -issuer -email -noout -in rootCA.cert

subject= /C=XX/L=Default City/O=Default Company Ltd/CN=rootCA
issuer= /C=XX/L=Default City/O=Default Company Ltd/CN=rootCA

The issuer and subject entry are identical.

So we've got two needed files for CAServer.

CAServer# file rootCA.*

rootCA.cert: PEM certificate
rootCA.key: PEM RSA private key

2. Create Certificate Request for the Apache and IIS Server.

2.1 For Apache server :

Generate PrivateKey for the Apache Server.

ApacheServer# openssl genrsa -out Apache.key 1024

Generating RSA private key, 1024 bit long modulus
..............++++++
..++++++
e is 65537 (0x10001)

Generate the Certificate-Request-file for the Apache Server with the upper privatekey.

ApacheServer# openssl req -out Apache.req -key Apache.key -new -days 365

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:Apache Server
Organizational Unit Name (eg, section) []:Apache Server
Common Name (eg, your name or your server's hostname) []:apache.linuxbyexamples.net
Email Address []:

See the information of the Apache Request file.

ApacheServer# openssl req -subject -noout -in Apache.req

subject=/C=XX/L=Default City/O=Apache Server/OU=Apache Server/CN=apache.linuxbyexamples.net

So we've got two needed files for ApacheServer.

ApacheServer# file Apache.*

Apache.req: PEM certificate request
Apache.key: PEM RSA private key

2.2 For IIS server :

We will use the environment of openssl tools on ApacheServer to create required file for IIS Server. You can also install openssl for windows on IIS server insteads.

Generate PrivateKey for the IIS Server.

ApacheServer# openssl genrsa -out IIS.key 1024

Generating RSA private key, 1024 bit long modulus
..........................................................++++++
.....................++++++
e is 65537 (0x10001)

Generate the Certificate Request file for the IIS Server with the upper privatekey.

ApacheServer# openssl req -out IIS.req -key IIS.key -new -days 365

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:IIS Server
Organizational Unit Name (eg, section) []:IIS Server
Common Name (eg, your name or your server's hostname) []:iis.linuxbyexamples.net
Email Address []:

See the information of the IIS Request file.

ApacheServer# openssl req -subject -noout -in IIS.req

subject=/C=XX/L=Default City/O=IIS Server/OU=IIS Server/CN=iis.linuxbyexamples.net

So we've got two needed files for IIS Server.

ApacheServer# file IIS.*

IIS.req: PEM certificate request
IIS.key: PEM RSA private key

Next to Part 2 >>