How to use SSL client certificates to authenticate user logins.

  Linux, Security, Windows

We hear a lot about how passwords are insecure, and should not be used alone for authentication.
They are hard to remember, users are tempted to come up with weak passwords, and reuse them across multiple websites.
Even if the password is strong, sometimes we need one extra layer of security.

Our TestLAB is using a webserver with Linux and Apache WebServer.

Client Certificate CA Setup and Signing

The first step consist in set up a Certificate Authority (CA).
It’s just a key pair where the private key is used to sign a client’s public key in the form of certificate that’s later used for verification between the client browser and the server.

Generating a CA :

openssl genrsa -out CA.key 4096
openssl req -x509 -new -nodes -key CA.key -days 7300 -out CA.pem

Be sure to keep CA.key secure. You will need it on the server if you want to auto create the client certificates.
The CA will be used for signing the client’s public key.

Creating a client certificate is a three step process :

Generate a public key pair for the client.
Generate a Certificate Signing Request (CSR) from the public key.
Sign the CSR with the CA key creating the client certificate.

Create a key-pair:

openssl genrsa -out client_xpto.key 4096

Now lets use the key to create the CSR:

openssl req -new -key client_xpto.key -out client_xpto.csr

You’ll be prompted for a bunch information, fill according to your needs or use defaults…

Now, we are going to use the CA to sign the CSR, generating the client certificate:

openssl ca -cert CA.pem -keyfile CA.key -in client_xpto.csr -out client_xpto.crt

Note: in some distrbutions this may…
Before you can use the ca command, you need a bunch of configuration.
It needs a database to keep track of issued and revoked certificates, and a handful of other details.

If the last command fail you can use the following :

openssl x509 -sha256 -req -in client_xpto.csr -out client_xpto.crt -CA CA.pem -CAkey CA.key -CAcreateserial -days 730

At this point we have all most everything done…
In my case, all my clients are using Windows and Mozilla Firefox.
So lets combine client_xpto.key and client_xpto.crt in one client_xpto.pfx.

openssl pkcs12 -export -out client_xpto.pfx -inkey client_xpto.key -in client_xpto.crt

Now lets configure our webserver to use all this :
Copy the CA.pem to your certs folder, in our case we choose /etc/ssl/certs.
Edit the vhost of you website that you want the autentication and create a block with the following:

SSLCACertificateFile /etc/ssl/certs/ca.pem

<Directory  /srv/www/htdocs/mywiki>
    SSLOptions +StdEnvVars
    SSLVerifyClient require
</Directory>

Save and restart Apache, and copy the client_xpto.pfx to your client computer .

Install it in your browser and test access 🙂

LEAVE A COMMENT