#1  
Old 16th September 2010, 17:31
teves teves is offline
Senior Member
 
Join Date: Oct 2006
Posts: 149
Thanks: 27
Thanked 13 Times in 10 Posts
Default SSL client certificates

Hello,

I'd like to use SSL client certificates for one virtual host on a Debian (Lenny) Ispconfig2 web server.
I have already done the 'proof of concept', which means that I enabled SSL for the web, put a http to https redirection into the 'apache directives' textfield and then manually altered the Vhost_ispconfig.conf file to the desired settings. Everything works fine so far.

The only drawback (of course) is that all settings are lost as soon as I alter anything in the ISPConfig GUI .

Is there a better way to do this in ISPConfig?

Thank you,
regards, Tom
Reply With Quote
Sponsored Links
  #2  
Old 17th September 2010, 15:31
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,739 Times in 2,574 Posts
Default

Quote:
Originally Posted by teves View Post
and then manually altered the Vhost_ispconfig.conf file to the desired settings.
Why didn't you put your changes into the "Apache Directives" field?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
teves (20th September 2010)
  #3  
Old 20th September 2010, 09:31
teves teves is offline
Senior Member
 
Join Date: Oct 2006
Posts: 149
Thanks: 27
Thanked 13 Times in 10 Posts
Default

Hi Falko,
thanks for the reply.

I tried putting it into the "Apache Directives" field, but I noticed that the contents of this field are put into both the :80 and :443 parts of the Vhost_ispconfig.conf entries for the web. I thought that I cannot do it that way.

Do I have to to it in a special way? Can I direct the entries to just the :443 part of the config? And where to put the https redirection then?

This is what I put into the :443 part of the webs vhost entry at the moment:

Code:
SSLEngine On
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/apache2/ssl/sserver-root-cert.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
#
SSLCACertificateFile /etc/ssl/cacert.pem
SSLCARevocationFile /etc/ssl/cacert.crl
<Location />
  SSLVerifyClient require
  SSLVerifyDepth 5
  SSLOptions +ExportCertData
  SSLRequire %{SSL_CLIENT_S_DN_CN} eq "Testuser"
</Location>
And this is inside my "Apache Directives" field:
Code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Reply With Quote
  #4  
Old 21st September 2010, 09:37
teves teves is offline
Senior Member
 
Join Date: Oct 2006
Posts: 149
Thanks: 27
Thanked 13 Times in 10 Posts
Default

I have found out how to use client certificate authentication on single webs in ISPConfig myself now.
If someone is interested on how it works, I could provide a howto.

Regards, Tom
Reply With Quote
The Following User Says Thank You to teves For This Useful Post:
falko (21st September 2010)
  #5  
Old 21st September 2010, 18:25
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,739 Times in 2,574 Posts
Default

That would be great!
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #6  
Old 24th September 2010, 16:12
teves teves is offline
Senior Member
 
Join Date: Oct 2006
Posts: 149
Thanks: 27
Thanked 13 Times in 10 Posts
Default

OK, so be it. ;-) The howto is a bit longish, but on the other hand it should be easy to follow.
It is based on a howto you can find here http://www.jfranken.de/homepages/joh....de.html#ToC18.
I only made it work in combination with ISPConfig.
Please note I am not an SSL certificate or security expert, so I am not liable for problems that might occur using this howto!
Any hints or corrections are highly welcome!

Step 1: Setting up the root certificate authority

At first you need a certificate authority (CA) to sign your certificates. In this howto we create the CA ourselves. (BTW: You only need to do this once on your server.)

Code:
$ cd /etc/ssl
$ echo 1001 > serial
$ touch index.txt
$ mkdir newcerts csr
We edit the openssl.cnf to set it to the desired default settings:

Code:
dir                         = /etc/ssl
countryName_default         = DE
stateOrProvinceName_default = Hessen
0.organizationName_default  = John Doe Limited
localityName_default        = Frankfurt

comment out the followin line (already commented out):
#crlnumber                  = $dir/crlnumber
Now we create the root CA:
Code:
$ openssl req -new -x509 -days 365 -keyout private/cakey.pem -out cacert.pem
Generating a 1024 bit RSA private key
..........++++++
........................++++++
writing new private key to 'private/privkey.pem'
Enter PEM pass phrase: [Passwort]
Verifying - Enter PEM pass phrase: [Passwort]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hessen]:
Locality Name (eg, city) [Frankfurt]:
Organization Name (eg, company) [John Doe Limited]:
Organizational Unit Name (eg, section) []:CA
Common Name (eg, YOUR name) []:John Doe Limited CA
Email Address []:info@johndoelimited.com
In this step the root certificate (cacert.pem) and a passphrase-secured private key (cakey.pem) are created.

Beware:
To the most of you this may be obvious, but I have to warn the others: the passphrase is needed to sign or withdraw your client certificates. So you must not lose it or give it to others!


We also generate a certificate revocation list (cacert.crl). This file is needed to mark certain certificates expired or invalid.
Code:
$ openssl ca -gencrl -out cacert.crl
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:[Passwort]
Now we can publish both the certificate and revocation list file to allow clients to import them:
Code:
$ cp /etc/ssl/cacert.pem /var/www/webNN/web/johndoe-root-cert.crt
$ ln -sf /etc/ssl/cacert.crl /var/www/webNN/web/johndoe-revlist.crl

Step 2: Settings in ISPConfig:

This must be done for each web you wish to equip with client certificate authentication.

We have to generate a certificate in ISPConfig to 'engage' SSL for the web (a port 443 paragraph will be added for the web in the Vhosts_ispconfig.conf).

Login to the ISPConfig GUI and open the web you wish to modify (johndoelimited.com in this case).
Activate the SSL checkbox (do not mix up with the SSI checkbox!) and save. A new SSL tab will become visible (after navigating back to the web).
Go to the SSL tab and enter the certificate data (it does not correspond to the client certificates, so you do not necessarily need to enter the same data).
In this example we enter:
Country: Germany
Province: Hessen
Town: Frankfurt
Company: John Doe Limited
Department: webhosting
Validity (days): 365


Choose "create certificate" from the selectbox below and save.
Wait for a moment and go back to the SSL tab. Now you see a certificate has been generated and put into the corresponding text boxes.

Go back to the basic settings of the web and put the following into the "apache directives" field at the bottom and save:
Code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
SSLCipherSuite HIGH:MEDIUM
SSLCACertificateFile /etc/ssl/cacert.pem
SSLCARevocationFile /etc/ssl/cacert.crl
<Location />
  SSLVerifyClient require
  SSLVerifyDepth 5
  SSLOptions +ExportCertData
  SSLRequire %{SSL_CLIENT_S_DN_CN} eq "John Doe"
</Location>
In this configuration "John Doe" is the only user accepted for accessing the web. So we need to generate a client certificate for that name.

The access to the web can be controlled via this configuration.
The first three lines are just a redirection, which will put all http requests to https.
The next three lines define the certificate authority (CA). It must match the client certificate's signing.
The location tag defines the access to the web. In this case the whole web can be accessed, if you own the correct certificate.
You also could protect certain folders by adding further location tags (<Location /some-folder>)
The most interesting line inside the location block is SSLRequire. It defines what data must be contained in your client certificate to be accepted. Here it only accepts the name "John Doe". (I will not explain further configuration examples, use google to find out more!)

The configuration of the web is finished here, so we can go back to the console.


Step 3: Generating client certificates

This step must be done for every user of the secure web.

The generating of certificates is done in two steps:
First we generate a certificate signing request file (CSR). Then the request needs to be signed by the certificate authority (we created in step 1)
Code:
$ cd /etc/ssl
$ openssl req -new -nodes -days 365 -out jdoe.csr -keyout jdoe.key
Generating a 1024 bit RSA private key
...............++++++
....++++++
writing new private key to jdoe.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hessen]:
Locality Name (eg, city) [Frankfurt]:
Organization Name (eg, company) [John Doe Limited]:
Organizational Unit Name (eg, section) []:Webhosting
Common Name (eg, YOUR name) []:John Doe
Email Address []:jd@johndoelimited.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Passwort]
An optional company name []:
The files jdoe.csr (certificate signing request) and jdoe.key (key file) are generated.

Now we have to sign the CSR file:
Code:
$ openssl ca -in jdoe.csr
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
	Serial Number: 4097 (0x1001)
	Validity
		Not Before: Jul 24 22:01:36 2005 GMT
		Not After : Jul 24 22:01:36 2006 GMT
	Subject:
		countryName               = DE
		stateOrProvinceName       = Hessen
		organizationName          = John Doe Limited
		organizationalUnitName    = Webhosting
		commonName                = John Doe
		emailAddress              = jd@johndoelimited.com
	X509v3 extensions:
	X509v3 Basic Constraints:
			CA:FALSE
	Netscape Comment:
			OpenSSL Generated Certificate
	X509v3 Subject Key Identifier:
			53:23:97:FC:B5:E4:8D:7A:3E:B2:05:4C:C5:33:74:27:F4:F5:48:2D
	X509v3 Authority Key Identifier:
	keyid:E2:93:41:5C:89:C9:3C:81:42:6D:3C:76:CF:49:1F:8A:91:5F:4E:FC
	DirName:/C=DE/ST=Hessen/L=Frankfurt/O= John Doe Limited
	/OU=CA/CN=John Doe CA/emailAddress=info@johndoelimited.com
			serial:B0:1F:97:8F:4A:C3:84:07

Certificate is to be certified until Jul 24 22:01:36 2006 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
[...]
Data Base Updated
The certificate is now in /etc/apache2/ssl/newcerts/1001.pem.
The file name comes from the serial we defined in step 1 (a hexadecimal number).

The last thing to do is converting the signed certificate to a more common format ( from PEM to PFX, also called PKCS12 or P12 )
Code:
$ openssl pkcs12 -export -in newcerts/1001.pem -inkey jdoe.key -certfile cacert.pem -name "John Doe => John Doe Limited" -out 1001.p12
Enter Export Password: [Passwort]
Verifying - Enter Export Password: [Passwort]
Now the PFX file is converted and locked with the given password. You find it here: /etc/ssl/1001.p12
Give this file and password to the corresponding user.

To install it on a client PC, you right click the p12 file and choose "install" from the context menu. Then it will work at least in Internet Explorer.
For making it work in Firefox you have to start Firefox, choose "tools -> options -> advanced. Choose "view certificates". Choose "your certificates" and click on "import". choose the p12 file and enter the corresponding password. (Note: if you have set up a master password, you will be asked it first!).

OK, so far the howto. Hope you like it!
regards, Tom

Last edited by teves; 25th October 2010 at 18:17. Reason: Issues with validity of certificates
Reply With Quote
The Following User Says Thank You to teves For This Useful Post:
falko (25th September 2010)
  #7  
Old 26th February 2011, 06:20
LaKing LaKing is offline
Junior Member
 
Join Date: Aug 2010
Posts: 13
Thanks: 0
Thanked 3 Times in 2 Posts
 
Default

You are right, SSLRequire is the most interesting ..

Fun by side, great howto.

Most of the manual work you can get 'automated' or 'built-in'. The apache 2 plugin contains the exec call's for the certificate creation, and using opensssl ca -batch does not ask any question, therefore it can be built in completely.

Back to the most interesting ...
.. what came to my mind is now, to identify ISPConfig 3 users with certificates ...
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't access to my website - after install problem pallermo Installation/Configuration 18 4th June 2010 13:29
client site ssl blocker General 2 24th June 2009 15:58
SSL Issues on Client Websites deezone General 1 24th December 2008 17:06
Re-generating SSL certificates for ISPConfig Norman General 6 13th May 2008 19:27
SSL for virtual hosts on one certificate rbartz Tips/Tricks/Mods 8 20th November 2007 17:59


All times are GMT +2. The time now is 00:26.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.