This Wiki is available to view but is still under maintenance. PLEASE DO NOT EDIT THE WIKI UNTIL FURTHER NOTICE. We are attempting to restore missing edits which took place between Monday 8 and Thursday 11 April 2019, therefore the site is likely to be taken off line at any time. Updated 20:43 CEST 16 April 2019.
Child pages
  • Configure apache to accept personal certificates
Skip to end of metadata
Go to start of metadata

Mandatory client certificates

The following vhost configuration will enforce client certificate authentication, and will only allow users from your own institution.

Tested with Apache 2.2.
Use LogLevel debug in server config to see what is going on.

#
<VirtualHost www.university.eu:443>
  ServerName www.university.eu
  DocumentRoot /opt/www/docs

  # Yes we want security
  SSLEngine on

  # But no weak ciphers
  SSLCipherSuite ALL:!ADH:!EXP:!DES:RC4+RSA:+HIGH:+MEDIUM!SSLv2


  # To see all SSL vars in scripting languages, for example phpinfo()
  SSLOptions +StdEnvVars +ExportCertData


  ############################################################
  #                     SERVER PART                          #
  ############################################################

  # Private key

  SSLCertificateKeyFile /etc/ssl/private/www.university.eu.key

  # Certificate  
  SSLCertificateFile /etc/ssl/certs/www.university.eu.crt

  # Intermediate certs, needed to link the previous two together
  SSLCertificateChainFile /etc/ssl/certs/www.university.eu.ca-bundle  


  
  ############################################################
  #                     CLIENT PART                          #
  ############################################################

  # CAs of the clients you deal with, in this case 3 CAs, because
  # you have to include the entire chain:
  #
  # A0:11:0A:23:3E:96:F1:07:EC:E2:AF:29:EF:82:A5:7F:D0:30:A4:B4
  # (C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA
  # Certificate Services)
  #
  # 89:82:67:7D:C4:9D:26:70:00:4B:B4:50:48:7C:DE:3D:AE:04:6E:7D
  # (C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
  # OU=http://www.usertrust.com, CN=UTN-USERFirst-Client
  # Authentication and Email)
  #
  # 89:82:67:7D:C4:9D:26:70:00:4B:B4:50:48:7C:DE:3D:AE:04:6E:7D
  # (C=NL, O=TERENA, CN=TERENA Personal CA)
  SSLCACertificateFile /etc/ssl/certs/TERENA_Personal_chain.crt

  # Give browser a hint which client cert should be used. It should offer
  # only certs signed by (intermediate) CAs in this file.
  # Beware: this is no security measure! See SSLRequire below.
  # In this case key ID 63:4D:43:5A:19:48:3F:C4:46:C1:02:BA:BF:EE:0E:E5:82:B7:66:A6
  SSLCADNRequestFile /etc/ssl/certs/TERENAPersonalCA.crt

  # Chain is 3 long
  SSLVerifyDepth 3

  
  <Directory /opt/www/docs>
    # Prevent SSL from being disabled somehow
    SSLRequireSSL
  
    # Mandatory client cert verification.
    # This option MUST be either inside a Directory block,
    # or inside an .htaccess. Sticking this option directly
    # in the vhost works, but half of the time variables like
    # SSL_CLIENT_CERT_CHAIN_0 don't get set.
    SSLVerifyClient Require

    # Further restriction to allow only your users. The nature of TCS certificates
    # is such that the combination of:
    #
    # 1) Signature by TERENA Personal CA
    # 2) Subscriber (O)
    # 3) Country code of Member (C)
    #
    # should establish the identify of your own users, and your users only.
    SSLRequire (   %{SSL_CLIENT_CERT_CHAIN_0} eq file("/etc/ssl/certs/TERENAPersonalCA.crt") \
                && %{SSL_CLIENT_S_DN_O} eq "University of Europe" \
                && %{SSL_CLIENT_S_DN_C} eq "EU" )

    # Apache 2.0 -> SSL_CLIENT_CERT_CHAIN0
    # Apache 2.2 -> SSL_CLIENT_CERT_CHAIN_0


    # Use this to polutate REMOTE_USER with a unique user name.
    # This looks like: /C=EU/O=University of Europe/CN=Dick Visser/unstructuredName=visser@university.eu 
    SSLUsername SSL_CLIENT_S_DN

    # According to https://www.terena.org/activities/tcs/repository/cps-personal.pdf, 
    # the unstructuredName should be unique. It is usually in the from of user@domain.
    # Use this to rewrite to the actual user name (less robust than SSLUsername).
    #RewriteEngine On
    #RewriteCond %{SSL:SSL_CLIENT_S_DN}	"\/unstructuredName=([Configure apache to accept personal certificates^@]+)@university\.eu"
    #RewriteRule .* - [E=REMOTE_USER:%1]

  </Directory>

</VirtualHost>
  • No labels