22 August 2013

Authenticate users with client certificates on Apache and IIS - Part 3

<< Back to Part 2

5. Connect from Client.

From client, I'll use IE to connect to both webserver by IP address.


Of course, there will be error message because the both servers require client certificates.

Let's make it.

5.1 Make Client Certificate :

Generate the PrivateKey for client.

CAServer# openssl genrsa -out Client.key 1024

Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)

Generate the Certificate Request file for the client with the upper privatekey.

CAServer# openssl req -out Client.req -key Client.key -new -days 365

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:Client Browser
Organizational Unit Name (eg, section) []:Client Browser
Common Name (eg, your name or your server's hostname) []:Client Browser
Email Address []:

Show the information of the Client Request file.

CAServer# openssl req -subject -noout -in Client.req

subject=/C=XX/L=Default City/O=Client Browser/OU=Client Browser/CN=Client Browser

Sign the Client.req by rootCA Certificate.

CAServer# openssl x509 -in Client.req -out Client.cert -days 365 -req -CA rootCA.cert -CAkey rootCA.key -CAcreateserial

Signature ok
subject=/C=XX/L=Default City/O=Client Browser/OU=Client Browser/CN=Client Browser
Getting CA Private Key

and We've got the file Client.cert

Let have a check on it.

CAServer# openssl x509 -subject -issuer -noout -in Client.cert

subject= /C=XX/L=Default City/O=Client Browser/OU=Client Browser/CN=Client Browser 
issuer= /C=XX/L=Default City/O=Default Company Ltd/CN=rootCA

You need to convert this pair (Client.cert & Client.key) into .pfx format to make it usable.

CAServer# openssl pkcs12 -export -inkey Client.key -in Client.cert -out Client.pfx -nodes

Enter Export Password:
Verifying - Enter Export Password:

Enter some password to protect it.

5.2 import the client.pfx to browser :

Copy the file Client.pfx and rootCA.cert to the Client.

Rename the rootCA.cert to rootCA.cer and open it.

Install it to the Trusted Root Certification Authorities \ Local Computer.


Click to import the Client.pfx file.

Let's connect again to the webserver. This time, IE will pop-up a window with client certificate info as server required. Press View Certificate ... for seeing the certificate detail.


And it works ! But the Address Bar is still in red ( Certificate Error ), because the client still using IP address ( for more detail on how to fix this : Bypass ie error/warning message when using with self signed certificate)


Change the IP address to DomainName and it will work like a charm. Get the same result with IIS server.


So, if anyone want to access the webserver, they must use the appropriate Certificate (signed by rootCA in this case for example). You can use this way combine with username/password to make more security factors.

We've done.

So, how does it work ?

  1. The both webservers and client have trusted the rootCA (by installing rootCA.cert into the Trusted Root Certification Authorities)
  2. The Apache Server used Certificate signed by rootCA, and it does required client certificate.
  3. The IIS Server used Certificate signed by rootCA, and it does required client certificate.
  4. When the client provides its certificate (signed by rootCA), the webserver will accept it because of (1.)


6. [Update !!!] Create and Sign Certificate with openssl v3 extensions :

Some Apps do require client or server SSL v3 for Security reason.

To generate or sign an v3 SSL Cert :

CAServer# openssl x509 -in Apache.req -out Apache.cert -days 365 -req -CA rootCA.cert -CAkey rootCA.key -CAcreateserial -extfile /etc/pki/tls/openssl.cnf -extensions v3_req

Verify cert after Signing :

CAServer# openssl x509 -in Apache.cert -text -noout

Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha1WithRSAEncryption
X509v3 extensions:
X509v3 Basic Constraints:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment

<< Back to Part 2