NOTA BENE - WORK IN PROGRESS - Your Inputs & Thoughts
To Technology Knowledge Base - To Technology Knowledge Base - Overview - To Technology Knowledge Base - Server Certificate - This Article you find as well in Support for System Administrators
As well by DanielBlack: Not-Another-Damn-Password - OSDC 2009 - OSDC Programme 2009 November 25-27
Apache Server Client Certificate Authentication
by Daniel Black
Apache client side authentication using ClientCerts is based off the httpd mod_ssl documentation and has been deployed for a number of CACert systems and Web applications like lists, webmail (for staff) and blog.
Apache configurations for client side authentication should appear in a VirtualHost directive though they can exist under other directives like Location.
These directives are in addition to SSL server configuration though I tend to use SSLCACertificatePath and not use SSLCertificateChainFile.
Basic Client Side Authentication
- This is for the case we want a preposition of the website to be accessible by certificate only. In this case any certificate from a set of CA's.
## Client Verification SSLVerifyClient optional SSLVerifyDepth 3 SSLCADNRequestPath /usr/share/ca-certificates/cacert.org/ # error handling RewriteEngine on RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS RewriteRule .? - [F] ErrorDocument 403 "You need a client side certificate issued by CAcert to access this site"SSLCADNRequestPath contains a path of the certificates that you will accept for this site. This will need to be in the openssl format contain links from the subject_hash to the file like follows. Openssl packages contain a rehash or c_rehash script that can generate these using a command c_rehash /usr/share/ca-certificates/cacert.org/.
drwxr-xr-x 2 root root 4096 2009-05-14 23:22 . drwxr-xr-x 9 root root 4096 2007-05-16 23:12 .. lrwxrwxrwx 1 root root 8 2009-05-14 23:22 5ed36f99.0 -> root.crt -rw-r--r-- 1 root root 2151 2007-03-04 05:23 class3.crt lrwxrwxrwx 1 root root 10 2009-05-14 23:22 e5662767.0 -> class3.crt -rw-r--r-- 1 root root 2569 2007-03-04 05:23 root.crt
Note I have made SSLVerifyClient optional. This is because the error message when SSLVerifyClient required and a person without a certificate installed access the site is rather unintuitive(firefox request to improve). The simple Rewrite directives at the bottom mean that a forbidden page with that error as per ErrorDocument. You will need mod_rewrite installed and enabled to use this.
Specific Certificates allowed - by List
- In addition to those directives above:
SSLOptions +FakeBasicAuth SSLRequireSSL AuthName "Admin Only Area" AuthType Basic AuthUserFile /var/www/.htpasswd require valid-user
The /var/www/.htaccess is like:
/CN=Daniel Black/emailAddress=daniel@cacert.org:xxj31ZMTZzkVA
The password bit xxj31ZMTZzkVA is always the same. The first bit is obtained by openssl x509 -noout -subject -in certificate.crt where certificate.crt is the certificate that you want to give access to.
Specific Certificates allowed - by Expression
- Sometime you want to say - yes accept any certificate from CAcert that has an email of @example.com and not worry about maintaining long lists. This is possible as follows:
SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/A full list is here http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslrequire. Sometime certificates can contain more that one email so:
SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/- You should change your error message (above) to say that certificates for @example.com are required also.
Logging
- The standard apache combined log file has a field for username, however using client certificates doesn't utilise this. Keeping the log in the same format however is handly if you every want to analysis it without customing analysis software.
To do this use the CustomLog using the combined log format replacing %u with %{SSL_CLIENT_S_DN_Email}x for an email address (or any other SSL_CLIENT* variable you may find useful.)
Web Application Authentication
- A number of web application can use the REMOTE_USER environment variable to provide access control to areas of the web application. These web application normally will describe the usage of this feature with the Apache Basic or Apache Digest authentication. You can use SSL certificates here.
How you do this is using the SSL option SSLUserName followed with a username environment variable. SSL_CLIENT_S_DN_Email is a useful though it depend on the web application and the users if having an email as a username is acceptable.
CustomLog /var/log/apache2/ssl_access.log "%h %l %{SSL_CLIENT_S_DN_Email}x %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
Revoked Certificate Checking
OCSP can be used to check if certificates have been revoked. Only versions of Apache after 2.3 are able to check this for you OCSPEnable.
CRL options do exist though they apply if you have a list of certificates. I don't think this is the same as the CRL from CA's (TODO check).
Inputs & Thoughts
YYYYMMDD-YourName
Text / Your Statements, thoughts and e-mail snippets, Please
YYYYMMDD-YourName
Text / Your Statements, thoughts and e-mail snippets, Please