#REDIRECT ApacheServerClientCertificateAuthentication

 . '''NOTA BENE - WORK IN PROGRESS''' - [[Technology/KnowledgeBase/Server/ApacheServerClientCertificateAuthentication#Inputs_&_Thoughts|Your Inputs & Thoughts]] :-)

 . '''To Technology''' '''[[Technology#Technology_Knowledge_Base| Knowledge Base]]'''  - '''To Technology ''' '''[[Technology/KnowledgeBase| Knowledge Base - Overview]]''' - '''To Technology''' '''[[Technology/KnowledgeBase/Server| Knowledge Base - Server Certificate]]''' - This Article you find as well in '''Support''' for '''[[Technology/TechnicalSupport/SysAdmin| System Administrators]]'''

 . As well by [[DanielBlack]]: [[attachment:osdc-2009-Daniel-Black-not-another-damn-password.odt|  Not-Another-Damn-Password - OSDC 2009]] - [[http://2009.osdc.com.au/programme| OSDC Programme 2009 November 25-27]]

----

== Apache Server Client Certificate Authentication ==

 . by '''[[DanielBlack| Daniel Black]]'''

 . Apache client side authentication using [[ClientCerts]] is based off the [[http://httpd.apache.org/docs/trunk/mod/mod_ssl.html|httpd mod_ssl]] documentation and has been deployed for a number of CACert systems and Web applications like [[https://lists.cacert.org|lists]], [[https://community.cacert.org|webmail (for staff)]] and [[https://blog.cacert.org|blog]].

 . Apache configurations for client side authentication should appear in a [[http://httpd.apache.org/docs/trunk/mod/core.html#virtualhost|VirtualHost]] directive though they can exist under other directives like [[http://httpd.apache.org/docs/trunk/mod/core.html#location|Location]].

 . These directives are in addition to [[Technology/KnowledgeBase/Server/SimpleApacheCert|SSL server configuration]] though I tend to use [[http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslcacertificatepath|SSLCACertificatePath]] and not use [[http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslcertificatechainfile|SSLCertificateChainFile]].
<<BR>>

== Basic Client Side Authentication ==

 . This is for the case we want a preposition of the website to be accessible by certificate only. In this case any certificate from a set of CA's.

 . {{{
## Client Verification
SSLVerifyClient optional
SSLVerifyDepth 3
SSLCADNRequestPath /usr/share/ca-certificates/cacert.org/

# error handling
RewriteEngine        on
RewriteCond     %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteRule     .? - [F]
ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"
 }}}
 . [[http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslcadnrequestpath|SSLCADNRequestPath]] contains a path of the certificates that you will accept for this site. This will need to be in the openssl format contain links from the {{{subject_hash}}} to the file like follows. Openssl packages contain a {{{rehash}}} or {{{c_rehash}}} script that can generate these using a command {{{c_rehash /usr/share/ca-certificates/cacert.org/}}}.
 . {{{
drwxr-xr-x 2 root root 4096 2009-05-14 23:22 .
drwxr-xr-x 9 root root 4096 2007-05-16 23:12 ..
lrwxrwxrwx 1 root root    8 2009-05-14 23:22 5ed36f99.0 -> root.crt
-rw-r--r-- 1 root root 2151 2007-03-04 05:23 class3.crt
lrwxrwxrwx 1 root root   10 2009-05-14 23:22 e5662767.0 -> class3.crt
-rw-r--r-- 1 root root 2569 2007-03-04 05:23 root.crt
 }}}

 . Note I have made {{{SSLVerifyClient optional}}}. This is because the error message when {{{SSLVerifyClient required}}} and a person without a certificate installed access the site is rather unintuitive([[https://bugzilla.mozilla.org/show_bug.cgi?id=419069|firefox request to improve]]). The simple {{{Rewrite}}} directives at the bottom mean that a forbidden page with that error as per ErrorDocument. You will need [[http://httpd.apache.org/docs/trunk/mod/mod_rewrite.html|mod_rewrite]] installed and enabled to use this.
<<BR>>

== Specific Certificates allowed - by List ==

 . In addition to those directives above:
 . {{{
SSLOptions           +FakeBasicAuth
SSLRequireSSL
AuthName             "Admin Only Area"
AuthType             Basic
AuthUserFile         /var/www/.htpasswd
require              valid-user
 }}}

 . The {{{/var/www/.htaccess}}} is like:
 . {{{
/CN=Daniel Black/emailAddress=daniel@cacert.org:xxj31ZMTZzkVA
 }}}

 . The password bit {{{xxj31ZMTZzkVA}}} is always the same. The first bit is obtained by {{{openssl x509 -noout -subject -in certificate.crt}}} where certificate.crt is the certificate that you want to give access to.
<<BR>>

== Specific Certificates allowed - by Expression ==

 . Sometime you want to say - yes accept any certificate from CAcert that has an email of @example.com and not worry about maintaining long lists. This is possible as follows:

 . {{{
SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
 }}}

 . A full list is here [[http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslrequire]]. Sometime certificates can contain more that one email so:

 . {{{
SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
          or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/
          or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/
          or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/
          or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
 }}}


 . You should change your error message (above) to say that certificates for @example.com are required also.
<<BR>>

== Logging ==

 . The standard apache combined log file has a field for username, however using client certificates doesn't utilise this. Keeping the log in the same format however is handly if you every want to analysis it without customing analysis software.

 . To do this use the [[http://httpd.apache.org/docs/trunk/mod/mod_log_config.html#customlog|CustomLog]] using the [[http://httpd.apache.org/docs/trunk/mod/mod_log_config.html#formats|combined log format]] replacing {{{%u}}} with {{{%{SSL_CLIENT_S_DN_Email}x}}} for an email address (or any other [[http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#envvars|SSL_CLIENT*]] variable you may find useful.)
<<BR>>

== Web Application Authentication ==

 . A number of web application can use the REMOTE_USER environment variable to provide access control to areas of the web application. These web application normally will describe the usage of this feature with the Apache Basic or Apache Digest authentication. You can use SSL certificates here.

 . How you do this is using the SSL option [[http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslusername|SSLUserName]] followed with a username [[http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#envvars|environment variable]]. {{{SSL_CLIENT_S_DN_Email}}} is a useful though it depend on the web application and the users if having an email as a username is acceptable.

 . {{{
CustomLog /var/log/apache2/ssl_access.log  "%h %l %{SSL_CLIENT_S_DN_Email}x %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
 }}}
<<BR>>

== Revoked Certificate Checking ==

 . OCSP can be used to check if certificates have been revoked. Only versions of Apache after 2.3 are able to check this for you [[http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslocspenable|OCSPEnable]].

 . [[http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslproxycarevocationfile|CRL options]] do exist though they apply if you have a list of certificates. I don't think this is the same as the CRL from CA's (TODO check).
<<BR>>

----

== Inputs & Thoughts ==

 . YYYYMMDD-[[YourName]]

 . {{{
Text / Your Statements, thoughts and e-mail snippets, Please
 }}}

----

 . YYYYMMDD-[[YourName]]

 . {{{
Text / Your Statements, thoughts and e-mail snippets, Please
 }}}

----
 . CategoryRedir