Here are logs when configuring openssl and apache for SSL client certificates.
Reference http://theheat.dk/blog/?p=1023
I have prepared two machines, one is for CA and Apache, the other is for a client.
# tail -1 /etc/lsb-release ;uname -ri
DISTRIB_DESCRIPTION="Ubuntu 12.04.4 LTS"
3.2.0-58-generic x86_64
|
# apt-get install openssl
|
create a directory for CA and configure CA
# mkdir –p /home/hattori/SSL_works/u01/app/myCA/certs
# mkdir /home/hattori/SSL_works/u01/app/myCA/csr
# mkdir /home/hattori/SSL_works/u01/app/myCA/newcerts
# mkdir /home/hattori/SSL_works/u01/app/myCA/private
# cp /etc/ssl/openssl.cnf /home/hattori/SSL_works/u01/app/myCA/
# cd /home/hattori/SSL_works/u01/app/myCA/
# ls
certs csr newcerts openssl.cnf private
# echo 00 > serial
# echo 00 > crlnumber
# touch index.txt
# ls
certs crlnumber csr index.txt newcerts openssl.cnf private serial
|
edit openssl.cnf
dir = /home/hattori/SSL_works/u01/app/myCA
|
[ CA ]
# openssl genrsa -des3 -passout pass:hello -out private/rootCA.key 2048
# openssl rsa -passin pass:hello -in private/rootCA.key -out private/rootCA.key
# openssl req -config openssl.cnf -new -x509 -subj '/C=JP/L=Tokyo/O=self CA/CN=root.jp' -days 999 -key private/rootCA.key -out certs/rootCA.crt
|
CA private key
# ls private/
rootCA.key
|
CA self signed certificate
# ls certs/rootCA.crt
certs/rootCA.crt
|
[ SSL server certificate ]
# openssl genrsa -des3 -passout pass:qwerty -out private/winterfell.key 2048
# openssl rsa -passin pass:qwerty -in private/winterfell.key -out private/winterfell.key
# openssl req -config openssl.cnf -new -subj '/C=JP/L=Tokyo/O=self/CN=winterfell
' -key private/winterfell.key -out csr/winterfell.csr
# openssl ca -batch -config openssl.cnf -days 999 -in csr/winterfell.csr -out certs/winterfell.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 11 04:53:17 2014 GMT
Not After : Dec 4 04:53:17 2016 GMT
Subject:
countryName = JP
localityName = Tokyo
organizationName = self
commonName = winterfell
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
8C:4E:68:16:C0:A0:CF:D9:EB:18:C5:20:A6:BD:35:F8:A7:3D:36:7B
X509v3 Authority Key Identifier:
keyid:13:EC:F9:4E:BD:AF:1C:1F:49:C4:8A:B3:07:4F:C1:D9:2B:33:CE:36
Certificate is to be certified until Dec 4 04:53:17 2016 GMT (999 days)
Write out database with 1 new entries
Data Base Updated
|
[ SSL Client Certificate ]
# openssl genrsa -des3 -passout pass:qwerty -out private/client.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................+++
.........................+++
e is 65537 (0x10001)
# openssl rsa -passin pass:qwerty -in private/client.key -out private/client.key
writing RSA key
# openssl req -config openssl.cnf -new -subj '/C=JP/L=Tokyo/O=self/CN=theClient'
-key private/client.key -out csr/client.csr
# openssl ca -batch -config openssl.cnf -days 999 -in csr/client.csr -out certs/client.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 11 04:55:01 2014 GMT
Not After : Dec 4 04:55:01 2016 GMT
Subject:
countryName = JP
localityName = Tokyo
organizationName = self
commonName = theClient
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2D:CF:85:7A:C0:5C:8A:59:53:F0:EA:9B:2F:FA:86:3D:13:D6:3A:35
X509v3 Authority Key Identifier:
keyid:13:EC:F9:4E:BD:AF:1C:1F:49:C4:8A:B3:07:4F:C1:D9:2B:33:CE:36
Certificate is to be certified until Dec 4 04:55:01 2016 GMT (999 days)
Write out database with 1 new entries
Data Base Updated
|
[ export the client cert by pkcs12 format ]
# openssl pkcs12 -export -passout pass:qwerty -in certs/client.crt -inkey private/client.key -certfile certs/rootCA.crt -out certs/clientcert.p12
|
[ Apache]
install apache
# apt-get install apache2
# a2enmod ssl
# a2ensite default-ssl
|
edit /etc/apache2/sites-available
# grep -v '#' default-ssl | grep -v ^$
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
SSLEngine on
SSLCertificateFile /home/hattori/SSL_works/u01/app/myCA/certs/winterfell.crt
SSLCertificateKeyFile /home/hattori/SSL_works/u01/app/myCA/private/winterfell.key
SSLCertificateChainFile /home/hattori/SSL_works/u01/app/myCA/certs/rootCA.crt
SSLCACertificateFile /home/hattori/SSL_works/u01/app/myCA/certs/rootCA.crt
SSLVerifyClient require
SSLVerifyDepth 10
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
|
edit /etc/apache2/sites-available/default file
ServerName winterfell
|
# /etc/init.d/apache2 restart
|
[ copy rootCA.crt and clientcert.p12 to the client ]
|
# scp certs/rootCA.crt hattori@192.168.0.100:
|
import rootCA.crt and clientcert.p12 on the browser
access to the apache.
