1

Goal:

My goal is to setup an Apache web server on a Centos box, with SSL and client certificate validation similar to the following Apache virtual host (http://hstuart.dk/2010/04/09/x-509-certificates-and-mercurial/):

<VirtualHost *:443>
  SSLEngine on
  SSLCertificateFile /path/to/myserver.pem
  SSLCertificateKeyFile /path/to/myserver.key
  SSLCACertificateFile /path/to/ca.pem
  SSLCACertificatePath /path/to
  SSLVerifyClient require

  <Location />
    SSLRequireSSL
    SSLOptions +FakeBasicAuth
    AuthName "FakeBasicAuth"
    AuthType Basic
    AuthUserFile /path/to/httpd.passwd
    require valid-user
  </Location>

  ScriptAliasMatch ^(.*) /path/to/hgwebdir.cgi$1
</VirtualHost>

Current solution:

As of now I have a working Apache solution which is based on a self-signed CA certificate which is used to create a intermediate CA which again is used to create a web server certificate (https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/).

The CA, intermediate CA and web server certificates are used in an Apache virtual host file to setup the SSL communication. When i do not use the SSLVerifyClient, the solution works as expected, both on the web server itself and windows box where the CA certificate has been added. No nagging screen and all is good.

Problem:

But as soon as I add the SSLVerifyClient I get the 'ssl_error_handshake_failure_alert' in Firefox on the windows box and 'sslv3 alert handshake failure' on the centos server then using the 'openssl s_client -connect [ip]:[port]' command.

This failure is for sure because I am missing the client certificate, but how must this client certificates be created and used? I can not see where this client certificate fits.

I have tried playing with putty Pageant, but it seems this is for ssh protocol only and not secure http. I am looking for a secure http solution, where the client certificate is installed on the windows box allowing developers access to the webserver.

Dev Dev
  • 65
  • 6

1 Answers1

0

You need to import the client certificate as p12/pfx (including private key) file into your firefox.

The client certificate needs to be a client certificate that is trusted by the webserver. i.e. the client certificate should be enrolled/signed by your CA.

cornelinux
  • 229
  • 1
  • 7
  • Is it correctly understood that the following must happen. 1: Create a PEM certificate public/private key pair with openssl. 2: Convert the PEM certificate file and a private key to PKCS#12 (.pfx .p12) with a command such as the following: openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt 3: Import this PFX certificate into Firefox. I assume that no changes needs to be done on the Apache server, as the PFX contain information of the CA and hereby is already known by the Apache server. Is these steps and assumption correct? – Dev Dev Oct 08 '14 at 08:34
  • If you sign the client certificate with the CA - yes. I use a Makefile to manage all my CA stuff: https://github.com/cornelinux/simple-ca-makefile You sign the client's certificate request like this `openssl ca -keyfile ${CA_DIR}/${CA_KEY} -cert ${CA_DIR}/${CA_CRT} -in $(csr).req -out $(csr).pem` poviding the CA certificate and privacy key and the client CSR and the outfile for the client certificate. – cornelinux Oct 08 '14 at 12:49
  • I have managed to create a client PEM certificate and converted it into PFX format, and I was able to import this into Firefox. Firefox recognizes the client certificate, but I receive `'ssl_error_certificate_unknown_alert'`. Does the server need to know about the client certificate in PEM or PFX format or does the server accept it as it has been signed by CA? – Dev Dev Oct 08 '14 at 13:30
  • The client PEM certificate I am using is signed by an intermediate CA similar to what you are writing. – Dev Dev Oct 08 '14 at 13:35
  • Do you get any error in the servers log? Also: In firefox got to the preferences->advanced->certificates and check the radio button "ask each time". Did you see this: http://serverfault.com/questions/592159/does-apache-needs-to-know-about-intermediate-certificates-for-client-authenticat?rq=1 ? – cornelinux Oct 08 '14 at 15:11
  • I inspected the ssl log of the Apache server and found the following error: `Certificate Verification: Certificate chain too long (chain has 2 certificates, but maximum allowed are only 1)`. This is due to the CA chain i got. After adding `SSLVerifyDepth 2` I manage to connect via HTTPS with the create client certificate. How is it possible to create the same flow for `lynx` on the centos box? Do you know how the PFX certificate must be placed/added to a given centos user? – Dev Dev Oct 08 '14 at 18:34
  • sorry, I am not familiar with lynx at this point. – cornelinux Oct 09 '14 at 19:41
  • No problem, thanks for pointing me in the right direction. – Dev Dev Oct 10 '14 at 06:47