Child pages
  • Configure apache to accept personal certificates

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Tested with Apache 2.2.
Use LogLevel debug in server config to see what is going on.

Code Block
shell
shell
themedjangoshell
#
<VirtualHost www.university.eu:443>
  ServerName www.university.eu
  DocumentRoot /opt/www/docs

  # Yes we want security
  SSLEngine on

  # But no weak ciphers
  SSLCipherSuite ALL:!ADH:!EXP:!DES:RC4+RSA:+HIGH:+MEDIUM!SSLv2


  # To see all SSL vars in scripting languages, for example phpinfo()
  SSLOptions +StdEnvVars +ExportCertData


  ############################################################
  #                     SERVER PART                          #
  ############################################################

  # Private key

  SSLCertificateKeyFile /etc/ssl/private/www.university.eu.key

  # Certificate  
  SSLCertificateFile /etc/ssl/certs/www.university.eu.crt

  # Intermediate certs, needed to link the previous two together
  SSLCertificateChainFile /etc/ssl/certs/www.university.eu.ca-bundle  


  
  ############################################################
  #                     CLIENT PART                          #
  ############################################################

  # CAs of the clients you deal with, in this case 3 CAs, because
  # you have to include the entire chain:
  #
  # A0:11:0A:23:3E:96:F1:07:EC:E2:AF:29:EF:82:A5:7F:D0:30:A4:B4
  # (C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA
  # Certificate Services)
  #
  # 89:82:67:7D:C4:9D:26:70:00:4B:B4:50:48:7C:DE:3D:AE:04:6E:7D
  # (C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
  # OU=http://www.usertrust.com, CN=UTN-USERFirst-Client
  # Authentication and Email)
  #
  # 89:82:67:7D:C4:9D:26:70:00:4B:B4:50:48:7C:DE:3D:AE:04:6E:7D
  # (C=NL, O=TERENA, CN=TERENA Personal CA)
  SSLCACertificateFile /etc/ssl/certs/TERENA_Personal_chain.crt

  # Give browser a hint which client cert should be used. It should offer
  # only certs signed by (intermediate) CAs in this file.
  # Beware: this is no security measure! See SSLRequire below.
  # In this case key ID 63:4D:43:5A:19:48:3F:C4:46:C1:02:BA:BF:EE:0E:E5:82:B7:66:A6
  SSLCADNRequestFile /etc/ssl/certs/TERENAPersonalCA.crt

  # Chain is 3 long
  SSLVerifyDepth 3

  
  <Directory /opt/www/docs>
    # Prevent SSL from being disabled somehow
    SSLRequireSSL
  
    # Mandatory client cert verification.
    # This option MUST be either inside a Directory block,
    # or inside an .htaccess. Sticking this option directly
    # in the vhost works, but half of the time variables like
    # SSL_CLIENT_CERT_CHAIN_0 don't get set.
    SSLVerifyClient Require

    # Further restriction to allow only your users. The nature of TCS certificates
    # is such that the combination of:
    #
    # 1) Signature by TERENA Personal CA
    # 2) Subscriber (O)
    # 3) Country code of Member (C)
    #
    # should establish the identify of your own users, and your users only.
    SSLRequire (   %{SSL_CLIENT_CERT_CHAIN_0} eq file("/etc/ssl/certs/TERENAPersonalCA.crt") \
                && %{SSL_CLIENT_S_DN_O} eq "University of Europe" \
                && %{SSL_CLIENT_S_DN_C} eq "EU" )

    # Apache 2.0 -> SSL_CLIENT_CERT_CHAIN0
    # Apache 2.2 -> SSL_CLIENT_CERT_CHAIN_0


    # Use this to polutate REMOTE_USER with a unique user name.
    # This looks like: /C=EU/O=University of Europe/CN=Dick Visser/unstructuredName=visser@university.eu 
    SSLUsername SSL_CLIENT_S_DN

    # According to https://www.terena.org/activities/tcs/repository/cps-personal.pdf, 
    # the unstructuredName should be unique. It is usually in the from of user@domain.
    # Use this to rewrite to the actual user name (less robust than SSLUsername).
    #RewriteEngine On
    #RewriteCond %{SSL:SSL_CLIENT_S_DN}	"\/unstructuredName=([Configure apache to accept personal certificates^@]+)@university\.eu"
    #RewriteRule .* - [E=REMOTE_USER:%1]

  </Directory>

</VirtualHost>