Wednesday, 24 September 2014

Mutual SSL authentication in Ubuntu

Two-way SSL using CA certificates

 cd /root

 mkdir CA

 cd CA

 mkdir newcerts private

vi openssl.cnf

#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
ts = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ ca ]

default_ca = CA_default

[ CA_default ]

serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]

countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]

default_md = sha1
distinguished_name = req_distinguished_name

[ req_distinguished_name ]

countryName = Country
countryName_default = IN
countryName_min = 2
countryName_max = 2
localityName = Locality
stateOrProvinceName_default = Karnataka
localityName_default = Bangalore
organizationName = Organization
organizationName_default = edurite
commonName = Common Name
commonName_max = 64

[ certauth ]

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true

[ server ]

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server

[ client ]

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
nsCertType = client

[ v3_req ]

basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

Generate self-signed certificate

 openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer

 openssl genrsa -out server.key 2048

 openssl req -config ./openssl.cnf -new -key server.key -out server.req

 openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extfile openssl.cnf -extensions server -days 365 -outform PEM -out server.cer

 rm server.req

 openssl genrsa -out client.key 2048

openssl req -config ./openssl.cnf -new -key client.key -out client.req

 openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 365 -outform PEM -out client.cer

 openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

 rm client.key client.cer client.req

vi /etc/apache2/sites-available/default

<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName 10.98.33.136:443

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
SSLEngine on
LogLevel warn
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLVerifyClient require
SSLVerifyDepth 10
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
#SSLCACertificateFile /etc/apache2/ssl/ca.cer
</VirtualHost>

/etc/init.d/apache2 restart

./OpenSSL_Client rname@some.com 365 passwd /var/www/html/CERT

Now Import the P12 file to the browser.

Ref :- http://www.flatmtn.com/article/setting-openssl-create-certificates

No comments:

Post a comment