View Single Post
  #6  
Old 24th September 2010, 17:12
teves teves is offline
Senior Member
 
Join Date: Oct 2006
Posts: 150
Thanks: 27
Thanked 15 Times in 10 Posts
Default

OK, so be it. ;-) The howto is a bit longish, but on the other hand it should be easy to follow.
It is based on a howto you can find here http://www.jfranken.de/homepages/joh....de.html#ToC18.
I only made it work in combination with ISPConfig.
Please note I am not an SSL certificate or security expert, so I am not liable for problems that might occur using this howto!
Any hints or corrections are highly welcome!

Step 1: Setting up the root certificate authority

At first you need a certificate authority (CA) to sign your certificates. In this howto we create the CA ourselves. (BTW: You only need to do this once on your server.)

Code:
$ cd /etc/ssl
$ echo 1001 > serial
$ touch index.txt
$ mkdir newcerts csr
We edit the openssl.cnf to set it to the desired default settings:

Code:
dir                         = /etc/ssl
countryName_default         = DE
stateOrProvinceName_default = Hessen
0.organizationName_default  = John Doe Limited
localityName_default        = Frankfurt

comment out the followin line (already commented out):
#crlnumber                  = $dir/crlnumber
Now we create the root CA:
Code:
$ openssl req -new -x509 -days 365 -keyout private/cakey.pem -out cacert.pem
Generating a 1024 bit RSA private key
..........++++++
........................++++++
writing new private key to 'private/privkey.pem'
Enter PEM pass phrase: [Passwort]
Verifying - Enter PEM pass phrase: [Passwort]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hessen]:
Locality Name (eg, city) [Frankfurt]:
Organization Name (eg, company) [John Doe Limited]:
Organizational Unit Name (eg, section) []:CA
Common Name (eg, YOUR name) []:John Doe Limited CA
Email Address []:info@johndoelimited.com
In this step the root certificate (cacert.pem) and a passphrase-secured private key (cakey.pem) are created.

Beware:
To the most of you this may be obvious, but I have to warn the others: the passphrase is needed to sign or withdraw your client certificates. So you must not lose it or give it to others!


We also generate a certificate revocation list (cacert.crl). This file is needed to mark certain certificates expired or invalid.
Code:
$ openssl ca -gencrl -out cacert.crl
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:[Passwort]
Now we can publish both the certificate and revocation list file to allow clients to import them:
Code:
$ cp /etc/ssl/cacert.pem /var/www/webNN/web/johndoe-root-cert.crt
$ ln -sf /etc/ssl/cacert.crl /var/www/webNN/web/johndoe-revlist.crl

Step 2: Settings in ISPConfig:

This must be done for each web you wish to equip with client certificate authentication.

We have to generate a certificate in ISPConfig to 'engage' SSL for the web (a port 443 paragraph will be added for the web in the Vhosts_ispconfig.conf).

Login to the ISPConfig GUI and open the web you wish to modify (johndoelimited.com in this case).
Activate the SSL checkbox (do not mix up with the SSI checkbox!) and save. A new SSL tab will become visible (after navigating back to the web).
Go to the SSL tab and enter the certificate data (it does not correspond to the client certificates, so you do not necessarily need to enter the same data).
In this example we enter:
Country: Germany
Province: Hessen
Town: Frankfurt
Company: John Doe Limited
Department: webhosting
Validity (days): 365


Choose "create certificate" from the selectbox below and save.
Wait for a moment and go back to the SSL tab. Now you see a certificate has been generated and put into the corresponding text boxes.

Go back to the basic settings of the web and put the following into the "apache directives" field at the bottom and save:
Code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
SSLCipherSuite HIGH:MEDIUM
SSLCACertificateFile /etc/ssl/cacert.pem
SSLCARevocationFile /etc/ssl/cacert.crl
<Location />
  SSLVerifyClient require
  SSLVerifyDepth 5
  SSLOptions +ExportCertData
  SSLRequire %{SSL_CLIENT_S_DN_CN} eq "John Doe"
</Location>
In this configuration "John Doe" is the only user accepted for accessing the web. So we need to generate a client certificate for that name.

The access to the web can be controlled via this configuration.
The first three lines are just a redirection, which will put all http requests to https.
The next three lines define the certificate authority (CA). It must match the client certificate's signing.
The location tag defines the access to the web. In this case the whole web can be accessed, if you own the correct certificate.
You also could protect certain folders by adding further location tags (<Location /some-folder>)
The most interesting line inside the location block is SSLRequire. It defines what data must be contained in your client certificate to be accepted. Here it only accepts the name "John Doe". (I will not explain further configuration examples, use google to find out more!)

The configuration of the web is finished here, so we can go back to the console.


Step 3: Generating client certificates

This step must be done for every user of the secure web.

The generating of certificates is done in two steps:
First we generate a certificate signing request file (CSR). Then the request needs to be signed by the certificate authority (we created in step 1)
Code:
$ cd /etc/ssl
$ openssl req -new -nodes -days 365 -out jdoe.csr -keyout jdoe.key
Generating a 1024 bit RSA private key
...............++++++
....++++++
writing new private key to jdoe.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hessen]:
Locality Name (eg, city) [Frankfurt]:
Organization Name (eg, company) [John Doe Limited]:
Organizational Unit Name (eg, section) []:Webhosting
Common Name (eg, YOUR name) []:John Doe
Email Address []:jd@johndoelimited.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Passwort]
An optional company name []:
The files jdoe.csr (certificate signing request) and jdoe.key (key file) are generated.

Now we have to sign the CSR file:
Code:
$ openssl ca -in jdoe.csr
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
	Serial Number: 4097 (0x1001)
	Validity
		Not Before: Jul 24 22:01:36 2005 GMT
		Not After : Jul 24 22:01:36 2006 GMT
	Subject:
		countryName               = DE
		stateOrProvinceName       = Hessen
		organizationName          = John Doe Limited
		organizationalUnitName    = Webhosting
		commonName                = John Doe
		emailAddress              = jd@johndoelimited.com
	X509v3 extensions:
	X509v3 Basic Constraints:
			CA:FALSE
	Netscape Comment:
			OpenSSL Generated Certificate
	X509v3 Subject Key Identifier:
			53:23:97:FC:B5:E4:8D:7A:3E:B2:05:4C:C5:33:74:27:F4:F5:48:2D
	X509v3 Authority Key Identifier:
	keyid:E2:93:41:5C:89:C9:3C:81:42:6D:3C:76:CF:49:1F:8A:91:5F:4E:FC
	DirName:/C=DE/ST=Hessen/L=Frankfurt/O= John Doe Limited
	/OU=CA/CN=John Doe CA/emailAddress=info@johndoelimited.com
			serial:B0:1F:97:8F:4A:C3:84:07

Certificate is to be certified until Jul 24 22:01:36 2006 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
[...]
Data Base Updated
The certificate is now in /etc/apache2/ssl/newcerts/1001.pem.
The file name comes from the serial we defined in step 1 (a hexadecimal number).

The last thing to do is converting the signed certificate to a more common format ( from PEM to PFX, also called PKCS12 or P12 )
Code:
$ openssl pkcs12 -export -in newcerts/1001.pem -inkey jdoe.key -certfile cacert.pem -name "John Doe => John Doe Limited" -out 1001.p12
Enter Export Password: [Passwort]
Verifying - Enter Export Password: [Passwort]
Now the PFX file is converted and locked with the given password. You find it here: /etc/ssl/1001.p12
Give this file and password to the corresponding user.

To install it on a client PC, you right click the p12 file and choose "install" from the context menu. Then it will work at least in Internet Explorer.
For making it work in Firefox you have to start Firefox, choose "tools -> options -> advanced. Choose "view certificates". Choose "your certificates" and click on "import". choose the p12 file and enter the corresponding password. (Note: if you have set up a master password, you will be asked it first!).

OK, so far the howto. Hope you like it!
regards, Tom

Last edited by teves; 25th October 2010 at 19:17. Reason: Issues with validity of certificates
Reply With Quote