Security Basics mailing list archives
Re: Mutual Authentication scheme
From: "Jorge Luis Alvarez Medina" <jlalvarezmedina () hotmail com>
Date: Wed, 02 May 2007 18:49:12 +0000
No, I haven't a link (I couldn't find one), but reading some articles and trying my own, I get wat I want. Here is what I did:
I have supposed that you understand clearly what a Certifiication Authority and SSL certificates are. If don't, you have to understand it first
You have to do two separate things. * Create the certificates for the server and the clients * Install Apache + modssl, and configure it Step 1: Create the certificates for the server and the clients: you have two choices:1) create certificates with some known certification authority (one per client you want to authenticate), download the certificate of the ca and put it in conf/ssl/ca.crt (or change the corresponding reference in SSLCACertificateFille)
2) Create your own CA, and with this one, create and sign your own certificates (one per client). In order to do this, you have to install OpenSSL.
To create the CA, use something like this (here I have build a cert authority valid for ten years, starting now):
openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config openssl.conf
(feel free to adjust openssl.conf as you want)so, you have the public certificate and the private key for you CA. You have your own CA now!:)
Now, you have to create certificates (and their respective keys) for each client and for the server (if you want mutually authenticate them)
(here I have build a cert that will be valid for ten years): build a request for a cert that will be valid for ten yearsopenssl req -days 3650 -nodes -new -keyout client1.key -out cllient.csr -config openssl.conf
sign the cert request with our CA, creating a cert/key pair openssl ca -days 3650 -out client1.crt -in client1.csr -config openssl.conf for each client and for the serverIf you don't understand some command, option or else, ask me again...or ask Google :)
Step 2: Install Apache + modssl: First, download a working version like some of these:
http://www.apache.org/dist/httpd/binaries/win32/ install it, and configure the following: - on httpd.confuncomment the line #LoadModule ssl_module modules/mod_ssl.so (just wipe the #)
- on ssl.conf comment the <IfDefine SSL> and his corresponding </IfDefine> ...and here comes the relevant thing...uncomment the following parameters (if they are commented), and adjust it properly
For server authentication SSLCertificateFile conf/ssl/webserver.crt SSLCertificateKeyFile conf/ssl/webserver.key For client authentication SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile conf/ssl/ca.crtI'm supposing here that the certificate and the key used for the webserver are webserver.crt and webserver.key respectively, and the ca certificate is ca.cert. Put all these files in the conf/ssl folder
Now start apache. Install the client certificates in the respective browsers and VERIFY THAT THE CERTIFICATE IS INSTALLED AS A PERSONAL CERTIFICATE (this could be your problem. You may be forced to export them to .p12 format. Use openssl again to do this), and access the https server with client and server authentication! Thats it!!!
Jorge Luis :) _________________________________________________________________¿Cuánto vale tu auto? Tips para mantener tu carro. ¡De todo en MSN Latino Autos! http://latino.msn.com/autos/
Current thread:
- Re: Mutual Authentication scheme Jorge Luis Alvarez Medina (May 02)