SSL client certificates
I'd like to use SSL client certificates for one virtual host on a Debian (Lenny) Ispconfig2 web server.
I have already done the 'proof of concept', which means that I enabled SSL for the web, put a http to https redirection into the 'apache directives' textfield and then manually altered the Vhost_ispconfig.conf file to the desired settings. Everything works fine so far.
The only drawback (of course) is that all settings are lost as soon as I alter anything in the ISPConfig GUI .
Is there a better way to do this in ISPConfig?
thanks for the reply.
I tried putting it into the "Apache Directives" field, but I noticed that the contents of this field are put into both the :80 and :443 parts of the Vhost_ispconfig.conf entries for the web. I thought that I cannot do it that way.
Do I have to to it in a special way? Can I direct the entries to just the :443 part of the config? And where to put the https redirection then?
This is what I put into the :443 part of the webs vhost entry at the moment:
I have found out how to use client certificate authentication on single webs in ISPConfig myself now.
If someone is interested on how it works, I could provide a howto.
That would be great! :)
OK, so be it. ;-) The howto is a bit longish, but on the other hand it should be easy to follow.
It is based on a howto you can find here http://www.jfranken.de/homepages/joh....de.html#ToC18.
I only made it work in combination with ISPConfig.
Please note I am not an SSL certificate or security expert, so I am not liable for problems that might occur using this howto!
Any hints or corrections are highly welcome!
Step 1: Setting up the root certificate authority
At first you need a certificate authority (CA) to sign your certificates. In this howto we create the CA ourselves. (BTW: You only need to do this once on your server.)
To the most of you this may be obvious, but I have to warn the others: the passphrase is needed to sign or withdraw your client certificates. So you must not lose it or give it to others!
We also generate a certificate revocation list (cacert.crl). This file is needed to mark certain certificates expired or invalid.
Step 2: Settings in ISPConfig:
This must be done for each web you wish to equip with client certificate authentication.
We have to generate a certificate in ISPConfig to 'engage' SSL for the web (a port 443 paragraph will be added for the web in the Vhosts_ispconfig.conf).
Login to the ISPConfig GUI and open the web you wish to modify (johndoelimited.com in this case).
Activate the SSL checkbox (do not mix up with the SSI checkbox!) and save. A new SSL tab will become visible (after navigating back to the web).
Go to the SSL tab and enter the certificate data (it does not correspond to the client certificates, so you do not necessarily need to enter the same data).
In this example we enter:
Company: John Doe Limited
Validity (days): 365
Choose "create certificate" from the selectbox below and save.
Wait for a moment and go back to the SSL tab. Now you see a certificate has been generated and put into the corresponding text boxes.
Go back to the basic settings of the web and put the following into the "apache directives" field at the bottom and save:
The access to the web can be controlled via this configuration.
The first three lines are just a redirection, which will put all http requests to https.
The next three lines define the certificate authority (CA). It must match the client certificate's signing.
The location tag defines the access to the web. In this case the whole web can be accessed, if you own the correct certificate.
You also could protect certain folders by adding further location tags (<Location /some-folder>)
The most interesting line inside the location block is SSLRequire. It defines what data must be contained in your client certificate to be accepted. Here it only accepts the name "John Doe". (I will not explain further configuration examples, use google to find out more!)
The configuration of the web is finished here, so we can go back to the console.
Step 3: Generating client certificates
This step must be done for every user of the secure web.
The generating of certificates is done in two steps:
First we generate a certificate signing request file (CSR). Then the request needs to be signed by the certificate authority (we created in step 1)
Now we have to sign the CSR file:
The file name comes from the serial we defined in step 1 (a hexadecimal number).
The last thing to do is converting the signed certificate to a more common format ( from PEM to PFX, also called PKCS12 or P12 )
Give this file and password to the corresponding user.
To install it on a client PC, you right click the p12 file and choose "install" from the context menu. Then it will work at least in Internet Explorer.
For making it work in Firefox you have to start Firefox, choose "tools -> options -> advanced. Choose "view certificates". Choose "your certificates" and click on "import". choose the p12 file and enter the corresponding password. (Note: if you have set up a master password, you will be asked it first!).
OK, so far the howto. Hope you like it!
You are right, SSLRequire is the most interesting ;) ..
Fun by side, great howto.
Most of the manual work you can get 'automated' or 'built-in'. The apache 2 plugin contains the exec call's for the certificate creation, and using opensssl ca -batch does not ask any question, therefore it can be built in completely.
Back to the most interesting ...
.. what came to my mind is now, to identify ISPConfig 3 users with certificates :) ...
|All times are GMT +2. The time now is 11:34.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.