Apache – Client-Side Certificates on Linux with OpenSSL

apache-2.2opensslSecuritysslx509

My company purchased a wildcard certificate from a vendor. This certificate was successfully configured with Apache 2.2 to secure a subdomain. Everything on the SSL side works.

Now I'm required to generate x509 client-side certificates to issue for this subdomain. I'm following along this page: (http://www.vanemery.com/Linux/Apache/apache-SSL.html), starting with "Creating Client Certificates for Authentication".

I've generated the p12 files and successfully imported them into Firefox. When I browse to the site now, I get an error in FireFox that says "The connection to the server was reset while the page was loading."

I think my problem is coming from not signing the client-side correctly. When I sign the client-side certificate, I'm using the PEM file (RapidSSL_CA_bundle.pem) from RapidSSL (who we bought the certificate from) for the -CA argument. For the -CAkey argument, I'm using the private key of the server. Is this correct?

Best Answer

Could be that you are using client certs with the wrong key usage. Please verify that your key usage has:

Critical
Signing
Non-repudiation
Key Encipherment

If you are using extended key usage, check for

Not Critical
TLS Web Client Authentication
E-mail protection

On the server side verify that you have all the ca cert that was used to sign the client cert and the relevant pki hierarchy is set up. In a typical apache setup, this would look like:

<VirtualHost *:443>
    ServerAdmin admin@example.net                                                                                      
    DocumentRoot /var/www/
    ServerName service.example.net
    ScriptAlias /cgi-bin/ /var/www/cgi-bin/
    <Directory "/var/www/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
    </Directory>

    <Directory "/var/www/">
            Options Indexes MultiViews FollowSymLinks
            AllowOverride None
    </Directory>

    SSLEngine on
    SSLOptions +StdEnvVars
    SSLCertificateFile    /usr/local/ssl/certs/Server.crt
    SSLCertificateKeyFile /usr/local/ssl/private/Server.key
    SSLCACertificateFile  /usr/local/ssl/certs/caRoot.cacert.pem
    SSLVerifyClient require
    ErrorLog logs/service.example.net-443-error_log
    LogLevel info
    CustomLog logs/service.example.net-443-access.log combined

Finally, you can try debug with good old openssl

openssl s_client -connect server.example.net:443 -CAfile ../ca/caRoot.crt -cert client-Access.crt -key client-Access.key  -showcerts

or curl

curl -kv --key client-Access.key --cert client-Access.crt --cacert ../ca/caRoot.crt  https://server.example.net/

Good luck!

Related Solutions

Apache – Forward Client x509 Certificate to Tomcat via mod_proxy

Apache is generating a brand new SSL session for the connection to the backend tomcat server, so the client certificate data isn't passed; the system with the cert isn't the client anymore.

If you're ok with an unencrypted connection between Apache and the Tomcat device, then using an AJP proxy connection (ProxyPass / ajp://x.x.x.x:8009/) instead of SSL, and adding an SSLOptions +ExportCertData directive in Apache, should pass the certificate data to Tomcat. There more info on passing certificate information here.

Linux – Nginx and client certificates from hierarchical OpenSSL-based certification authorities

As far as I understand,

ssl_verify_depth 2;

should do the trick. See http://nginx.org/r/ssl_verify_depth for details.

Best Answer

Related Solutions

Apache – Forward Client x509 Certificate to Tomcat via mod_proxy

Linux – Nginx and client certificates from hierarchical OpenSSL-based certification authorities

Related Topic