Greetings!
We're going to begin by assuming you have Apache running with mod_ssl
installed and properly configured, and you have a valid CA set up
already.
I'll address your question in two parts.
First, how to set up mod_ssl to accept or require client certificates:
"When you know your user community (i.e. a closed user group
situation), as it's the case for instance in an Intranet, you can use
plain certificate authentication. All you have to do is to create
client certificates signed by your own CA certificate ca.crt and then
verifiy the clients against this certificate. "
Place the following entry in your httpd.conf:
# require a client certificate which has to be directly
# signed by our CA certificate in ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile conf/ssl.crt/ca.crt
From the mod_ssl website documentation, Chapter 5
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
If you require more detailed or complex configurations, visit the
above link. They give directions for sectioning off the website,
using HTTPS and more.
Second, we need to create the user certificates. This process vaires
depending on which browser the client is using. You will use OpenSSL
directly for this step. The general idea is that the user goes to a
web page with an HTML form, fills in their information, and on
submission of the form, a certificate is created and downloaded to the
browser.
The step by step directions are at the SSL Cookbook site:
http://www.pseudonym.org/ssl/ssl_cook.html#client_certs
With explicit examples and code and HTML for Netscape at:
http://www.pseudonym.org/ssl/ssl_nsclient_certs.html
And for IE at:
http://www.pseudonym.org/ssl/ssl_msclient_certs.html
If you have any further questions or need clarification, don't
hesitate to ask!
Thanks!
Search Terms Used:
openssl create client certificate
create client certificates mod_ssl
mod_ssl |
