How to do client certificate authentication with Apache

16
votes

The question is very clear but I did not find any useful tutorial online. So I wish I could have some luck here.

Basically, I want to build a client certificate authentication with Apache. I configured the conf file for Apache for the site I am hosting. The conf I put is here:

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/apache2/ssl/client.crt

However I have no idea how to generate the certificate and key file for the client. And also, what file should I put on the SSLCACertificateFile in the Apache server configurations?

Does the server simply compare the certificate file sent from client with the certificate file on the server? What exactly the client certificate authentication is doing ?

2
apacheauthenticationsslcertificate
You're off topic and your question doesn't make sense. If you're running the server, you don't generate anything for the client. The client generates his own key and certificate. If he wants you to authenticate him, it is also up to him to either get it signed by a CA you trust, or export it to you.user207421
@EJP, that's incorrect: if you have your own CA, the client generates a key and certificate request, then you generate a certificate (using the cert request and your CA). You can then check that a user connects with a certificate (and matching key) that was "signed" by your CA.jcaron

2 Answers

14
votes

You'll find instructions on how to create a CA cert and certs signed by this CA cert here: http://pages.cs.wisc.edu/~zmiller/ca-howto/

Things go like this:

  • you setup your root CA key and cert
  • client generates his private key and certificate request
  • they send you the certificate request
  • you generate the certificate using the certificate request, your root CA cert and root CA key
  • you return the certificate to the client

You can then check that the client presents a certificate which is "signed" by the CA.

4
votes

It is important to understand SSLVerifyClient and the other directives. From Practical Issues with TLS Client Certificate Authentication (page 3):

The default value none of SSLVerifyClient does not require CCA; therefore the server will not include a CertificateRequest message in the TLS handshake.

The value require will require CCA, and thus the CertificateRequest message will be included in the handshake. If the client does not provide any certificate in the client’s Certificate message or mod_ssl fails to verify the certificate provided, the TLS handshake will be aborted and a fatal TLS alert message will be sent to the client.

The value optional is the same as require, but an empty client’s Certificate message will be tolerated.

The last possible value optional_no_ca is the same as optional, but in addition it allows a client’s certificate to be submitted that does not chain up to the CA trusted by the server (because of a bug in OpenSSL [6] not yet valid or expired non-self-signed client certificates will also be accepted).

The value optional_no_ca can be used to perform certificate verification at an application level or to implement PKI-less public-key authentication that uses X.509 certificates as a public-key transport.