Re: Mutual Authentication scheme

["Jorge Luis Alvarez Medina" <jlalvarezmedina () hotmail com>]

No, I haven't a link (I couldn't find one), but reading some articles and 
trying my own, I get wat I want. Here is what I did:

I have supposed that you understand clearly what a Certifiication Authority 
and SSL certificates are. If don't, you have to understand it first


You have to do two separate things.
* Create the certificates for the server and the clients
* Install Apache + modssl, and configure it


Step 1: Create the certificates for the server and the clients:

you have two choices:

1) create certificates with some known certification authority (one per 
client you want to authenticate), download the certificate of the ca and put 
it in conf/ssl/ca.crt (or change the corresponding reference in 
SSLCACertificateFille)

2) Create your own CA, and with this one, create and sign your own 
certificates (one per client). In order to do this, you have to install 
OpenSSL.

To create the CA, use something like this (here I have build a cert 
authority valid for ten years, starting now):

openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config 
openssl.conf

(feel free to adjust openssl.conf as you want)

so, you have the public certificate and the private key for you CA. You have 
your own CA now!:)

Now, you have to create certificates (and their respective keys) for each 
client and for the server (if you want mutually authenticate them)

(here I have build a cert that will be valid for ten years):

build a request for a cert that will be valid for ten years
openssl req -days 3650 -nodes -new -keyout client1.key -out cllient.csr 
-config openssl.conf

sign the cert request with our CA, creating a cert/key pair
openssl ca -days 3650 -out client1.crt -in client1.csr -config openssl.conf

for each client and for the server

If you don't understand some command, option or else, ask me again...or ask 
Google :)


Step 2: Install Apache + modssl: First, download a working version like some 
of these:

http://www.apache.org/dist/httpd/binaries/win32/

install it, and configure the following:

- on httpd.conf

uncomment the line #LoadModule ssl_module modules/mod_ssl.so (just wipe the 
#)

- on ssl.conf

comment the <IfDefine SSL> and his corresponding </IfDefine>

...and here comes the relevant thing...
uncomment the following parameters (if they are commented), and adjust it 
properly
For server authentication
SSLCertificateFile conf/ssl/webserver.crt
SSLCertificateKeyFile conf/ssl/webserver.key

For client authentication
SSLVerifyClient require
SSLVerifyDepth  1
SSLCACertificateFile conf/ssl/ca.crt

I'm supposing here that the certificate and the key used for the webserver 
are webserver.crt and webserver.key respectively, and the ca certificate is 
ca.cert. Put all these files in the conf/ssl folder

Now start apache. Install the client certificates in the respective browsers 
and VERIFY THAT THE CERTIFICATE IS INSTALLED AS A PERSONAL CERTIFICATE (this 
could be your problem. You may be forced to export them to .p12 format. Use 
openssl again to do this), and access the https server with client and 
server authentication! Thats it!!!

Jorge Luis :)

_________________________________________________________________
¿Cuánto vale tu auto? Tips para mantener tu carro. ¡De todo en MSN Latino 
Autos! http://latino.msn.com/autos/