Tuesday, 23 September 2014

Two-way SSL authentication


Two-way SSL authentication or mutual SSL authentication or client
authentication works by resolving its identity to SSL server with a use of
the client certificate.

All certificates will be issued by using OpenSSL application and openssl.cnf
configuration file.

 cd /root

 mkdir CA

 cd CA

 mkdir newcerts private

 vi /root/CA/openssl.cnf

#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
ts = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ ca ]

default_ca = CA_default

[ CA_default ]

serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]

countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]

default_md = sha1
distinguished_name = req_distinguished_name

[ req_distinguished_name ]

countryName = Country
countryName_default = IN
countryName_min = 2
countryName_max = 2
localityName = Locality
stateOrProvinceName_default = Karnataka
localityName_default = Bangalore
organizationName = Organization
organizationName_default = edurite
commonName = Common Name
commonName_max = 64

[ certauth ]

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true

[ server ]

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server

[ client ]

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
nsCertType = client

[ v3_req ]

basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

 echo '01' > serial
 touch index.txt

 to generate self-signed certificate

 openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer

 openssl genrsa -out server.key 2048

 openssl req -config ./openssl.cnf -new -key server.key -out server.req

 openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extfile openssl.cnf -extensions server -days 365 -outform PEM -out server.cer

 rm server.req

 openssl genrsa -out client.key 2048

openssl req -config ./openssl.cnf -new -key client.key -out client.req

 openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 365 -outform PEM -out client.cer

 openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

 rm client.key client.cer client.req

vi /etc/httpd/conf.d/ssl.conf

LoadModule ssl_module modules/mod_ssl.so
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

Listen 443

<VirtualHost 172.16.0.14:443>
DocumentRoot "/var/www/SSL/digitally"
CheckSpelling on
DirectoryIndex opsindex.php
ServerName 172.16.0.14
ServerAdmin root@localhost
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/httpd/conf/ssl/server.cer
SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/httpd/conf/ssl/ca.cer
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

 httpd -S

 /etc/init.d/httpd/restart

 mkdir -p /var/www/html/CERTS

./OpenSSL_Client rname@some.com 365 passwd /var/www/html/CERTS

Now Import the P12 file to the browser.

Ref :- http://www.flatmtn.com/article/setting-openssl-create-certificates

No comments:

Post a comment