22 August 2013

Authenticate users with client certificates on Apache and IIS - Part 2

<< Back to Part 1

3. Sign the Certificate Request by rootCA.

Copy the two file Apache.req and IIS.req to the CAServer.

3.1 For Apache server :

Sign the Apache.req by rootCA Certificate.

CAServer# openssl x509 -in Apache.req -out Apache.cert -days 365 -req -CA rootCA.cert -CAkey rootCA.key -CAcreateserial

Signature ok
subject=/C=XX/L=Default City/O=Apache Server/OU=Apache Server/CN=apache.linuxbyexamples.net
Getting CA Private Key


We've got the file Apache.cert, let have a check on it.

CAServer# openssl x509 -subject -issuer -noout -in Apache.cert 

subject= /C=XX/L=Default City/O=Apache Server/OU=Apache Server/CN=apache.linuxbyexamples.net
issuer= /C=XX/L=Default City/O=Default Company Ltd/CN=rootCA

As you can see, the issuer is now the rootCA. It means this certificate is signed and trusted by the rootCA.

Let's verify it.

CAServer# openssl verify -verbose -CAfile rootCA.cert Apache.cert

Apache.cert: OK

3.2 For IIS server :

Sign the IIS.req by rootCA Certificate.

CAServer# openssl x509 -in IIS.req -out IIS.cert -days 365 -req -CA rootCA.cert -CAkey rootCA.key -CAcreateserial

Signature ok
subject=/C=XX/L=Default City/O=IIS Server/OU=IIS Server/CN=iis.linuxbyexamples.net
Getting CA Private Key

We've got the file IIS.cert, let have a check on it.

CAServer# openssl x509 -subject -issuer -noout -in IIS.cert

subject= /C=XX/L=Default City/O=IIS Server/OU=IIS Server/CN=iis.linuxbyexamples.net
issuer= /C=XX/L=Default City/O=Default Company Ltd/CN=rootCA

As you can see, the issuer is now the rootCA. It means this certificate is signed and trusted by the rootCA.

Let's verify it.

CAServer# openssl verify -verbose -CAfile rootCA.cert IIS.cert

IIS.cert: OK

4. Config the webserver (Apache and IIS)

4.1 For Apache server :

Check if the Apache Server has install mod_ssl for running https.

ApacheServer# rpm -qa | grep mod_ssl

mod_ssl-2.2.3-65.el5.centos

If not, install it with yum command.

ApacheServer# yum install mod_ssl

Copy the two file Apache.cert and rootCA.cert from CAServer to ApacheServer.

Config the mod_ssl configuration file :

ApacheServer# vim /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/httpd/conf.d/Apache.cert
SSLCertificateKeyFile /etc/httpd/conf.d/Apache.key
SSLCACertificateFile /etc/httpd/conf.d/rootCA.cert
SSLVerifyClient require

Restart the service httpd.

ApacheServer# /etc/init.d/httpd restart

Check if the port 443 has open.

ApacheServer# netstat -pnat | grep 443

tcp 0 0 :::443 :::* LISTEN 9201/httpd

it's done for ApacheServer.

4.2 For IIS server :

To make Windows IIS working with https, you need to convert the pair (IIS.cert & IIS.key) into pfx format.

CAServer# openssl pkcs12 -export -inkey IIS.key -in IIS.cert -out IIS.pfx -nodes

Enter Export Password:
Verifying - Enter Export Password:

Entering some password to protect the file.
And we've got the file IIS.pfx

Copy the file IIS.pfx and rootCA.cert to the IIS Server.
Rename the rootCA.cert to rootCA.cer and open it.

Install it to the Trusted Root Certification Authorities \ Local Computer.
  

Open the IIS management console, and import the IIS.pfx to the Server Certificate Wizard to enable https feature.
 

Check the option Require Client Certificates.

Check if the tcp port 443 has opened.
it's done for IIS Server.

<< Back to Part 1