Tag: certificate

Authenticate through Client Certificate

This post documents how to setup using a client certificate in accessing a private web page.

The involved components are as follows:

  • Web server: Apache 2.4
  • Browser: Firefox 98

Steps:

  1. Generate CA certificate: see the previous post
  2. Configure web server to require client certificates signed by the CA
    • Add SSLVerifyClient require to the protected Location
    • Add SSLCACertificateFile to point to the CA certificate
  3. Generate a personal certificate: also described in the previous post
  4. Sign the personal certificate with CA certificate: ditto
  5. Import personal certificate into browser
    Settings → Privacy & Security → Certificates → View Certificates… → Your Certificates → Import…
  6. Configure browser to enable post-handshake authentication (Only needed if you get “…Cannot perform Post-Handshake Authentication” error. Usually happens when securing only a sub path instead of the entire server.)
    For Firefox (98)
    1. Go to the URL about:config
    2. Find and enable security.tls.enable_post_handshake_auth
  7. All set! Go ahead and test it out…

Self-signed CA certificate

It’s useful for signing certificates for internal use. Here is a quick way for setting up a self-signed CA using the openssl command in Linux.

mkdir ca
cd ca
openssl req -nodes -new -x509 -keyout ca.key -out ca.crt -subj "/C=TW/ST=Taiwan/L=Taipei/O=ccdw.org/OU=sam/CN=sam.ccdw.org/emailAddress=root@sam.ccdw.org"

Server certificate

To create a server certificate signing request along with a new server key:

openssl req -nodes -new -keyout server.key -out server.csr -subj "/C=TW/ST=Taiwan/L=Taipei/O=ccdw.org/OU=server/CN=server.ccdw.org/emailAddress=server@ccdw.org"

To sign the server certificate:

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650

The resulting key can certificate of the server can be combine into a PEM file:

cat server.key server.crt > server.pem

Client certificate

To create a client certificate signing request along with a new client key:

openssl req -nodes -new -keyout client.key -out client.csr -subj "/C=TW/ST=Taiwan/L=Taipei/O=ccdw.org/OU=client/CN=Good Client/emailAddress=good@client.ccdw.org"

To sign the client certificate:

openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt -days 1000

The browser usually needs the certificate in PKCS#12 format. To convert the format of the certificate:

openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt

The .pfx file can then be imported into a browser.