Centos – Setup client certificate verification in an Apache webserver via SSLVerifyCilent on a Centos 6.5+ server

apache-2.2centossslssl-certificatevirtualhost

Goal:

My goal is to setup an Apache web server on a Centos box, with SSL and client certificate validation similar to the following Apache virtual host (http://hstuart.dk/2010/04/09/x-509-certificates-and-mercurial/):

<VirtualHost *:443>
  SSLEngine on
  SSLCertificateFile /path/to/myserver.pem
  SSLCertificateKeyFile /path/to/myserver.key
  SSLCACertificateFile /path/to/ca.pem
  SSLCACertificatePath /path/to
  SSLVerifyClient require

  <Location />
    SSLRequireSSL
    SSLOptions +FakeBasicAuth
    AuthName "FakeBasicAuth"
    AuthType Basic
    AuthUserFile /path/to/httpd.passwd
    require valid-user
  </Location>

  ScriptAliasMatch ^(.*) /path/to/hgwebdir.cgi$1
</VirtualHost>

Current solution:

As of now I have a working Apache solution which is based on a self-signed CA certificate which is used to create a intermediate CA which again is used to create a web server certificate (https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/).

The CA, intermediate CA and web server certificates are used in an Apache virtual host file to setup the SSL communication. When i do not use the SSLVerifyClient, the solution works as expected, both on the web server itself and windows box where the CA certificate has been added. No nagging screen and all is good.

Problem:

But as soon as I add the SSLVerifyClient I get the 'ssl_error_handshake_failure_alert' in Firefox on the windows box and 'sslv3 alert handshake failure' on the centos server then using the 'openssl s_client -connect [ip]:[port]' command.

This failure is for sure because I am missing the client certificate, but how must this client certificates be created and used? I can not see where this client certificate fits.

I have tried playing with putty Pageant, but it seems this is for ssh protocol only and not secure http. I am looking for a secure http solution, where the client certificate is installed on the windows box allowing developers access to the webserver.

Best Answer

You need to import the client certificate as p12/pfx (including private key) file into your firefox.

The client certificate needs to be a client certificate that is trusted by the webserver. i.e. the client certificate should be enrolled/signed by your CA.

Related Topic