SSL client certificates

Hello,

I'd like to use SSL client certificates for one virtual host on a Debian (Lenny) Ispconfig2 web server.
I have already done the 'proof of concept', which means that I enabled SSL for the web, put a http to https redirection into the 'apache directives' textfield and then manually altered the Vhost_ispconfig.conf file to the desired settings. Everything works fine so far.

The only drawback (of course) is that all settings are lost as soon as I alter anything in the ISPConfig GUI .

Is there a better way to do this in ISPConfig?

Thank you,
regards, Tom

 

Why didn't you put your changes into the "Apache Directives" field?

 

Hi Falko,
thanks for the reply.

I tried putting it into the "Apache Directives" field, but I noticed that the contents of this field are put into both the :80 and :443 parts of the Vhost_ispconfig.conf entries for the web. I thought that I cannot do it that way.

Do I have to to it in a special way? Can I direct the entries to just the :443 part of the config? And where to put the https redirection then?

This is what I put into the :443 part of the webs vhost entry at the moment:

Code:

SSLEngine On
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/apache2/ssl/sserver-root-cert.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
#
SSLCACertificateFile /etc/ssl/cacert.pem
SSLCARevocationFile /etc/ssl/cacert.crl
<Location />
  SSLVerifyClient require
  SSLVerifyDepth 5
  SSLOptions +ExportCertData
  SSLRequire %{SSL_CLIENT_S_DN_CN} eq "Testuser"
</Location>

And this is inside my "Apache Directives" field:

Code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

I have found out how to use client certificate authentication on single webs in ISPConfig myself now.
If someone is interested on how it works, I could provide a howto.

Regards, Tom

 

That would be great!

 

OK, so be it. ;-) The howto is a bit longish, but on the other hand it should be easy to follow.
It is based on a howto you can find here http://www.jfranken.de/homepages/johannes/vortraege/apache_inhalt.de.html#ToC18.
I only made it work in combination with ISPConfig.
Please note I am not an SSL certificate or security expert, so I am not liable for problems that might occur using this howto!
Any hints or corrections are highly welcome!

Step 1: Setting up the root certificate authority

At first you need a certificate authority (CA) to sign your certificates. In this howto we create the CA ourselves. (BTW: You only need to do this once on your server.)

Code:

[B]$ cd /etc/ssl
$ echo 1001 > serial
$ touch index.txt
$ mkdir newcerts csr[/B]

We edit the openssl.cnf to set it to the desired default settings:

Code:

dir                         = /etc/ssl
countryName_default         = DE
stateOrProvinceName_default = Hessen
0.organizationName_default  = John Doe Limited
localityName_default        = Frankfurt

comment out the followin line (already commented out):
#crlnumber                  = $dir/crlnumber

Now we create the root CA:

Code:

[B]$ openssl req -new -x509 -days 365 -keyout private/cakey.pem -out cacert.pem[/B]
Generating a 1024 bit RSA private key
..........++++++
........................++++++
writing new private key to 'private/privkey.pem'
Enter PEM pass phrase: [B][Passwort][/B]
Verifying - Enter PEM pass phrase: [B][Passwort][/B]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hessen]:
Locality Name (eg, city) [Frankfurt]:
Organization Name (eg, company) [John Doe Limited]:
Organizational Unit Name (eg, section) []:[B]CA[/B]
Common Name (eg, YOUR name) []:[B]John Doe Limited CA[/B]
Email Address []:[B][email protected][/B]

In this step the root certificate (cacert.pem) and a passphrase-secured private key (cakey.pem) are created.

Beware:
To the most of you this may be obvious, but I have to warn the others: the passphrase is needed to sign or withdraw your client certificates. So you must not lose it or give it to others!

We also generate a certificate revocation list (cacert.crl). This file is needed to mark certain certificates expired or invalid.

Code:

[B]$ openssl ca -gencrl -out cacert.crl[/B]
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:[B][Passwort][/B]

Now we can publish both the certificate and revocation list file to allow clients to import them:

Code:

[B]$ cp /etc/ssl/cacert.pem /var/www/webNN/web/johndoe-root-cert.crt
$ ln -sf /etc/ssl/cacert.crl /var/www/webNN/web/johndoe-revlist.crl[/B]

Step 2: Settings in ISPConfig:

This must be done for each web you wish to equip with client certificate authentication.

We have to generate a certificate in ISPConfig to 'engage' SSL for the web (a port 443 paragraph will be added for the web in the Vhosts_ispconfig.conf).

Login to the ISPConfig GUI and open the web you wish to modify (johndoelimited.com in this case).
Activate the SSL checkbox (do not mix up with the SSI checkbox!) and save. A new SSL tab will become visible (after navigating back to the web).
Go to the SSL tab and enter the certificate data (it does not correspond to the client certificates, so you do not necessarily need to enter the same data).
In this example we enter:
Country: Germany
Province: Hessen
Town: Frankfurt
Company: John Doe Limited
Department: webhosting
Validity (days): 365

Choose "create certificate" from the selectbox below and save.
Wait for a moment and go back to the SSL tab. Now you see a certificate has been generated and put into the corresponding text boxes.

Go back to the basic settings of the web and put the following into the "apache directives" field at the bottom and save:

Code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
SSLCipherSuite HIGH:MEDIUM
SSLCACertificateFile /etc/ssl/cacert.pem
SSLCARevocationFile /etc/ssl/cacert.crl
<Location />
  SSLVerifyClient require
  SSLVerifyDepth 5
  SSLOptions +ExportCertData
  SSLRequire %{SSL_CLIENT_S_DN_CN} eq "John Doe"
</Location>

In this configuration "John Doe" is the only user accepted for accessing the web. So we need to generate a client certificate for that name.

The access to the web can be controlled via this configuration.
The first three lines are just a redirection, which will put all http requests to https.
The next three lines define the certificate authority (CA). It must match the client certificate's signing.
The location tag defines the access to the web. In this case the whole web can be accessed, if you own the correct certificate.
You also could protect certain folders by adding further location tags (<Location /some-folder>)
The most interesting line inside the location block is SSLRequire. It defines what data must be contained in your client certificate to be accepted. Here it only accepts the name "John Doe". (I will not explain further configuration examples, use google to find out more!)

The configuration of the web is finished here, so we can go back to the console.


Step 3: Generating client certificates

This step must be done for every user of the secure web.

The generating of certificates is done in two steps:
First we generate a certificate signing request file (CSR). Then the request needs to be signed by the certificate authority (we created in step 1)

Code:

[B]$ cd /etc/ssl
$ openssl req -new -nodes -days 365 -out jdoe.csr -keyout jdoe.key[/B]
Generating a 1024 bit RSA private key
...............++++++
....++++++
writing new private key to jdoe.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hessen]:
Locality Name (eg, city) [Frankfurt]:
Organization Name (eg, company) [John Doe Limited]:
Organizational Unit Name (eg, section) []:[B]Webhosting[/B]
Common Name (eg, YOUR name) []:[B]John Doe[/B]
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Passwort]
An optional company name []:

The files jdoe.csr (certificate signing request) and jdoe.key (key file) are generated.

Now we have to sign the CSR file:

Code:

[B]$ openssl ca -in jdoe.csr[/B]
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
	Serial Number: 4097 (0x1001)
	Validity
		Not Before: Jul 24 22:01:36 2005 GMT
		Not After : Jul 24 22:01:36 2006 GMT
	Subject:
		countryName               = DE
		stateOrProvinceName       = Hessen
		organizationName          = John Doe Limited
		organizationalUnitName    = Webhosting
		commonName                = John Doe
		emailAddress              = [email protected]
	X509v3 extensions:
	X509v3 Basic Constraints:
			CA:FALSE
	Netscape Comment:
			OpenSSL Generated Certificate
	X509v3 Subject Key Identifier:
			53:23:97:FC:B5:E4:8D:7A:3E:B2:05:4C:C5:33:74:27:F4:F5:48:2D
	X509v3 Authority Key Identifier:
	keyid:E2:93:41:5C:89:C9:3C:81:42:6D:3C:76:CF:49:1F:8A:91:5F:4E:FC
	DirName:/C=DE/ST=Hessen/L=Frankfurt/O= John Doe Limited
	/OU=CA/CN=John Doe CA/[email protected]
			serial:B0:1F:97:8F:4A:C3:84:07

Certificate is to be certified until Jul 24 22:01:36 2006 GMT (365 days)
Sign the certificate? [y/n]:[B]y[/B]

1 out of 1 certificate requests certified, commit? [y/n][B]y[/B]
Write out database with 1 new entries
[...]
Data Base Updated

The certificate is now in /etc/apache2/ssl/newcerts/1001.pem.
The file name comes from the serial we defined in step 1 (a hexadecimal number).

The last thing to do is converting the signed certificate to a more common format ( from PEM to PFX, also called PKCS12 or P12 )

Code:

[B]$ openssl pkcs12 -export -in newcerts/1001.pem -inkey jdoe.key -certfile cacert.pem -name "John Doe => John Doe Limited" -out 1001.p12[/B]
Enter Export Password: [B][Passwort][/B]
Verifying - Enter Export Password: [B][Passwort][/B]

Now the PFX file is converted and locked with the given password. You find it here: /etc/ssl/1001.p12
Give this file and password to the corresponding user.

To install it on a client PC, you right click the p12 file and choose "install" from the context menu. Then it will work at least in Internet Explorer.
For making it work in Firefox you have to start Firefox, choose "tools -> options -> advanced. Choose "view certificates". Choose "your certificates" and click on "import". choose the p12 file and enter the corresponding password. (Note: if you have set up a master password, you will be asked it first!).

OK, so far the howto. Hope you like it!
regards, Tom

 

You are right, SSLRequire is the most interesting ..

Fun by side, great howto.

Most of the manual work you can get 'automated' or 'built-in'. The apache 2 plugin contains the exec call's for the certificate creation, and using opensssl ca -batch does not ask any question, therefore it can be built in completely.

Back to the most interesting ...
.. what came to my mind is now, to identify ISPConfig 3 users with certificates ...