Two-way SSL authentication or mutual SSL authentication or client
authentication works by resolving its identity to SSL server with a use of
the client certificate.
All certificates will be issued by using OpenSSL application and openssl.cnf
configuration file.
cd /root
mkdir CA
cd CA
mkdir newcerts private
vi /root/CA/openssl.cnf
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
ts = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_md = sha1
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country
countryName_default = IN
countryName_min = 2
countryName_max = 2
localityName = Locality
stateOrProvinceName_default = Karnataka
localityName_default = Bangalore
organizationName = Organization
organizationName_default = edurite
commonName = Common Name
commonName_max = 64
[ certauth ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
[ server ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server
[ client ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
nsCertType = client
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
echo '01' > serial
touch index.txt
to generate self-signed certificate
openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer
openssl genrsa -out server.key 2048
openssl req -config ./openssl.cnf -new -key server.key -out server.req
openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extfile openssl.cnf -extensions server -days 365 -outform PEM -out server.cer
rm server.req
openssl genrsa -out client.key 2048
openssl req -config ./openssl.cnf -new -key client.key -out client.req
openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 365 -outform PEM -out client.cer
openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
rm client.key client.cer client.req
vi /etc/httpd/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
Listen 443
<VirtualHost 172.16.0.14:443>
DocumentRoot "/var/www/SSL/digitally"
CheckSpelling on
DirectoryIndex opsindex.php
ServerName 172.16.0.14
ServerAdmin root@localhost
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/httpd/conf/ssl/server.cer
SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/httpd/conf/ssl/ca.cer
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
httpd -S
/etc/init.d/httpd/restart
mkdir -p /var/www/html/CERTS
./OpenSSL_Client rname@some.com 365 passwd /var/www/html/CERTS
Now Import the P12 file to the browser.
Ref :- http://www.flatmtn.com/article/setting-openssl-create-certificates
No comments:
Post a Comment