Client certificate authentication


#1

Hello,

I’m trying to configure my Apache server to require client provide a SSL certificate in order to gain access to the site. I have the setup working with self-signed certificates, but when I switched over to LE, I’m having a hard time. Could someone please help me out with this? My Apache config looks as follows:

# working configuration with self-signed certs
SSLCertificateFile /etc/ssl/ca/certs/privateTools.crt
SSLCertificateKeyFile /etc/ssl/ca/private/privateTools.key
SSLCertificateChainFile /etc/ssl/ca/certs/privateToolsCA.crt
SSLCACertificateFile /etc/ssl/ca/certs/privateToolsCA.crt

# Not working with LE certs
SSLCertificateKeyFile /etc/letsencrypt/live/gitlab.dimaj.net/privkey.pem
SSLCertificateFile      /etc/letsencrypt/live/gitlab.dimaj.net/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/gitlab.dimaj.net/chain.pem
#SSLCACertificateFile    /etc/letsencrypt/live/gitlab.dimaj.net/chain.pem

# validate SSL Certificate
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

SSLProxyEngine off

<Directory /srv/websites/phpldapadmin>
    SSLRequireSSL
    SSLOptions +StrictRequire
    Satisfy any
    SSLVerifyClient require
</Directory>

I guess I have 2 questions here…

  1. What do I specify for the SSLCACertificateFile
  2. How do get a client certificate and how do I sign it?

Thank you very much for the help!


#2

Your questions are a bit out of scope for this site, but I’ll try to provide some links.

This will contain CAs that you allow for verification of certificates provided by the client. It’s just a plain text file with PEM-encoded certificates for CA roots.

Outside LE territory here. You can go to a registrar that sells client certificates, make your own CA and sign certificate requests yourself, or anything similar.

For Apache HTTPd, you’ll probably want to look at SSLVerifyClient along with SSLRequire or the newer replacement Require expr.


#3

As far as I know, Let’s Encrypt only issues DV certificates, not client certificates. So for client verification, you’ll probably want to use another CA.

BTW, the CA for client verification (SSLCACertificateFile) doesn’t have to be the same CA as for your server’s certificate (SSLCertificateFile). Those can be different.


#4

Additionally, he’s going to want to use a CA that he himself runs. You can’t trust client certificates issued by anyone else…


#5

thank you for your replies guys!

I didn’t know that validation cert could be different! Got my setup working again! So, I’m using the LE certs to secure my site and self-signed cert for authentication.

Thanks a lot for the help!


#6

Can you please share your setup as I also want to do the same.


#7

Hello Michelde,

Here’s my config:

<VirtualHost *:443>
Some other directives go here

SSLEngine On


SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

SSLCertificateFile /etc/ssl/ca/certs/server.crt
SSLCertificateKeyFile /etc/ssl/ca/private/server.key
SSLCACertificateFile /etc/ssl/ca/certs/serverCA.crt
SSLVerifyClient optional

SSLProxyEngine Off

ProxyRequests Off

<Location />
    Order deny,allow
    Deny from all

    Satisfy any
    Allow from 192.168.1.0/24

    # this block is used to avoid forcing a cert if i'm on my local network
    RewriteEngine on
    RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
    RewriteCond %{REMOTE_ADDR} !^192.168.1.[0-9]*$
    RewriteRule   ^  -  [F]
<Location />

I hope this helps!

Regards,

dimaj http://blog.dimaj.net


#8

The old crypto features in that configuration look rather scary to me. I’d like to make a plug for

https://mozilla.github.io/server-side-tls/ssl-config-generator/

to update the cryptographic parameters there.


#9

That looks interesting. Thanks!