SSL website encryption AND client-certificate authentication

In our example-configuration we have to create three certificates. One certificate for the root-CA, one for the SSL-encryption and one with which we can authenticate to the application.

Create certificates
For better understanding our documentation will go through the whole process of creating the root-CA to the application authentication via a SSL-certificate.

Software requirements:
 * openssl
 * apache

Create the root-CA
At first we have to create a root-CA so that we can create and the server will accept the self-signed SSL-certificate and the self-signed Client-certificate.

mkdir newcerts echo -ne "01" >serial echo -ne "01" >crlnumber touch index.txt locate openssl.cnf cp path/openssl.cnf ./ca.cnf vi ca.cnf

Let's configure the ca.cnf so that we can create the root-CA.

... [ CA_default ]

dir = path/newcerts ... new_certs_dir = $dir certificate = $dir/ca.crt private_key = $dir/ca.key

If you want to save some time during the certificate creation you can configure the following parts in the ca.cnf.

... [ req_distinguished_name ] countryName = ... ...

Create the ca.key openssl genrsa -des3 -out ca.key 2048 Enter pass phrase for ca.key:***** Verifying - Enter pass phrase for ca.key:*****

Create the ca.crt openssl req -config ./ca.cnf -new -x509 -days 3650 -key ./ca.key -out ./ca.crt Enter pass phrase for ca.key:***** Country Name ...

Create the SSL-certificate
Create the SSL-certificate for the required domain. In our example a dyndns domain called "test.dyndns.info". We will give the SSL-certificate an expiration time of 730 days. openssl genrsa -out test.dyndns.info.key 1024 openssl req -config ./ca.cnf -new -key test.dyndns.info.key -out test.dyndns.info.csr ... Common Name ... = test.dyndns.info ... openssl ca -config ./ca.cnf -days 730 -in test.dyndns.info.csr -out test.dyndns.info.crt

After that you will have to enter the pass phrase for the SSL-certificate and apply that you want to sign the certificate. Now, if everything went fine, we have a self-signed SSL-certificate with the filename test.dyndns.info.crt which you can apply to the apache-server.

Create the Client-certificate
In our example we use a fictive name + the dyndns domain name called "client1.test.dyndns.info". We will give the Client-certificate an expiration time of 730 days. openssl genrsa -des3 -out client1.test.dyndns.info.key 1024 openssl req -config ./ca.cnf -new -key client1.test.dyndns.info.key -out client1.test.dyndns.info.csr ... openssl ca -config ./ca.cnf -days 730 -in client1.test.dyndns.info.csr -out client1.test.dyndns.info.crt

To complete the steps we have to get the Client-certificate in p12-format so you can install it on your for example: firefox. If you want to you can apply a pass phrase to your certificate so you will be asked the password each time you want to use the Client-certificate but it is not a must! openssl pkcs12 -export -in client1.test.dyndns.info.crt -inkey client1.test.dyndns.info.key -certfile ca.crt -out client1.test.dyndns.info.p12

Enter a password for your Client-certificate or leave it blank if you don't want any. After that you will be asked to enter the export password which you have to enter! Don't leave this one blank!

Additional information
If you want to use the created certificates for apache we recommend to copy the created certificates to the following path.

cp path/ca.crt /etc/ssl/ cp path/test.dyndns.info.crt /etc/ssl/ cp path/test.dyndns.info.csr /etc/ssl/ cp path/test.dyndns.info.key /etc/ssl/

Configure Apache
This example configuration will you show you how to use the above created SSL-certificate and the Client-certificate to make a SSL encrypted website and authenticate this site with the Client-certificate. For further information and documentation look at the Apache-Documentation

SSL encryption
Create a virtual host entry which listens on the SSL port. (443) In our example we use the IP address "10.0.0.1" and the domain name "test.dyndns.info" for which we created the SSL-certificate.

 ServerName test.dyndns.info SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile "/etc/ssl/test.dyndns.info.crt" SSLCertificateKeyFile "/etc/ssl/test.dyndns.info.key" SSLCACertificateFile "/etc/ssl/ca.crt" ... 

SSL client authentication
To only allow access to the website through a Client-certificate you have to update your location entry in the apache configuration.

...  Order deny,allow Allow from ALL SSLVerifyClient require  ...