Ssl – Browser not asking for client certificate

apache-2.2authenticationssl

I am configuring Apache to use client certificate authentication. When I brows to the site however, it does not ask me for a certificate, unless SSLCACertificateFile is specified. It will then ask for a certificate through the browser. The browser will pop up a box asking me to choose a certificate (it only shows certificates signed by the CA specified by SSLCACertificateFile).

I am using a self signed certificate.

It also does not matter if the certs the 'client' uses is specified in SSLCACertificatePath.

Any helpful advice on why it is acting this way?
Is the browser not asking for certificates normal unless SSLCACertificateFile is specified?

<VirtualHost _default_:443>
DocumentRoot "C:/documents"
ServerName server.ip:443
ServerAdmin admin@eample.org
ErrorLog "C:/Apache2.2/logs/error.log"
TransferLog "C:/Apache2.2/logs/access.log"

SSLEngine on
SSLCipherSuite HIGH:MEDIUM

SSLCertificateFile C:/Apache2.2/certs/server.crt

SSLCertificateKeyFile C:/Apache2.2/certs/server.key

SSLCertificateChainFile C:/Apache2.2/certs/ca.crt

SSLCACertificateFile C:/Apache2.2/certs/ca.crt

SSLCACertificatePath C:/Apache2.2/allowed-crts

SSLCARevocationPath C:/Apache2.2/revoked-certs

SSLVerifyClient require
SSLVerifyDepth  2

SSLOptions +ExportCertData +StdEnvVars
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/Apache2.2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
     nokeepalive ssl-unclean-shutdown \
     downgrade-1.0 force-response-1.0

CustomLog "C:/Apache2.2/logs/webservices-ssl_request.log" \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Best Answer

What you are saying does make sense, and the doc, while a bit vague, seems to agree.

SSLCACertificateFile

This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with. These are used for Client Authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLCACertificatePath.

Just to clarify, I understand it that SSLCACertificateFile is needed so that the server knows which clients it is allowed to let in the protected area and you would need at least SSLCACertificateFile or SSLCACertificatePath.

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Ssl – Generating a client-side SSL/TLS certificate from in the browser

You are looking for the keygen tag. See Mozilla's page.

You might be better off letting EJBCA do this since it handles the different browser quirks by using it's external-ra component (I did :) ).

In essence, build two instances of ejbca. One to act as your ca behind your secure network. Another instance as the frontend ra which will be used to enrol your users. The ca polls the ra by querying the ra's MySQL database (externalra.properties config file), pick any outstanding CSRs, sign them and then post certificates back.

For you to enrol a user:

You must pre-create the user in the ca end (End entity as they are called. Which means you must create a ca, caprofile, etc)
Log in to the externalra interface with the end entity credentials and submit the form.
The client's browser will start displaying a busy icon.
The CSR hits the ra db, and waits for the ca to pick up the csr and drop back a cert. Once the cert hits the ra db, it's presented to the user.

Here's a simple ejbca build script I used. It won't work right off the bat but it should work. Update: Also see this question and this link for client cert usage in Apache

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

Ssl – Generating a client-side SSL/TLS certificate from in the browser

Related Topic