2

Generating client certificates by becoming your own CA with an Apache web server is trivial work and there's plenty of documentation out there on how to achieve this. My problem is slightly different.

I have several clients out there that want to have their own PKI infrastructure. They want to be able to generate their own client certificates and revoke them as well. Our webserver(s) are still responsible for authorizing them when they access our web service.

Would anyone be able to chime in on what are some possible solutions I can look into? I see Apache 2.3 has some SSLOCSP* related directives (http://httpd.apache.org/docs/2.3/mod/mod_ssl.html) but I'm not entirely thrilled about using Apache 2.3 and even more so, it looks like there are browser limitations to SSLOCSP* and we're dealing with clients that don't find that acceptable.

imaginative
  • 1,971
  • 10
  • 32
  • 48

2 Answers2

1

There isn't a truly automated method at present.

I'm not really that keen on the SSL*Path directives personally because they can be troublesome to maintain. So what we do is to use SSLCACertificateFile, SSLCADNRequestFile and SSLCARevocationFile. Then some Python scripting to handle CRL updates as follows:

  1. Fetch the latest CRL from the CRL Distribution Point (x509v3 extensions).
  2. Validate the CRL contents against a local copy of the CA cert.
  3. Write the new CRL to disk.
  4. Repeat for other CAs.
  5. Restart Apache gracefully.

In which case you just need to obtain a CA cert and CRL distribution point from the clients which are managing their own CAs.

Dan Carley
  • 25,617
  • 5
  • 53
  • 70
  • The steps above worked for me, the only thing I needed to add was to convert the CRL to PEM format from DER, using this command: openssl crl -inform DER -outform PEM -in CRLFile.crl -out CRLFile.crl.pem It may depend if your CRL provider chooses DER format vs PEM. Apache was a lot happier with the PEM. – Clark Jan 22 '14 at 20:42
0

Assuming you are happy to trust every certificate that their CA signs, then you should be able to use SSLCACertificatePath and SSLVerifyClient require to verify your clients. This does mean that you're unable to know when you should reject revoked certificates. Apache 2.2 does have a SSLCARevocationPath option that would allow you to put CRL files into. This would require you to synchronise your CRL files periodically. The frequency of updating would depend on how long it takes to sync and how long after a certificate has been revoked that you're happy to accept it for. If the syncing takes longer than you're happy with, then this approach will not work. If you really need a realtime checking of your certificates, then you will probably have to wait until Apache 2.4 is released.

http://www.apacheweek.com/features/crl seems to provide a little more detail on how to set this up correctly.

Regarding OCSP, do you need browser support? Presumably if you're only checking client certificates are valid, only the server needs to support OCSP.

David Pashley
  • 23,497
  • 2
  • 46
  • 73