step by step guide to setting up client certificates using apache 1.3.26 and openssl

Hi dannyrg27ps-ga!

This was an interesting question! My husband operates a home server
using Apache, so this gave me a bit of insight into all the work
required to keep it up and running!

According to _OpenSSL Certificate Cookbook_, it appears that this is a
fairly simple process, although you must use different procedures for
Netscape and Internet Explorer.

Client Certificates section
http://www.pseudonym.org/ssl/ssl_cook.html#client_certs

According to that section: 
"A client certificate is used to authenticate a client to a server.
The use of client certificates is only needed if the server is
configured to require them.

Creating and installing one is more difficult than creating a server
certificate because the client must generate a key-pair, keep the
private key to itself, and send the public key to the certificate
authority to be incorporated into a certificate request. Once a signed
certificate has been created using the Certificate Authority, this
client certificate must be installed in the client so that the client
may present it when needed.

Different clients such as Netscape Navigator and Microsoft Internet
Explorer support different mechanisms for creating client
certificates. The general procedure is the same, and consists of the
following steps:

User requests HTML page which displays form on client.

User enters identification information.

Submission of the form causes the following sequence to occur:

Browser generates a key pair (public and private key). 
Private key is stored in browser. 
Public key is sent with identification information to the server. 
Server CGI script creates certificate and loads it into the client.

The HTML form includes fields (containing defaults) for the different
distinguished name attributes which are to be used in the client
certificate. The HTML form also contains information used to cause the
browser to generate a key-pair, and a hidden field used to return this
to the CGI script. This hidden information is browser dependent and
the form is processed by a browser-dependent script." (end of quoted
material from Client Certificate section)

Netscape Client Certificate Management
http://www.pseudonym.org/ssl/ssl_nsclient_certs.html

Internet Explorer Client Certificate Management
http://www.pseudonym.org/ssl/ssl_msclient_certs.html

There is a lot of useful information at this site regarding
installation and setup of OpenSSL.

An Introduction to Certificates can be found at:
http://www.pseudonym.org/ssl/ssl_msclient_certs.html

You may also wish to look at these sites for more information:

Building a Secure RedHat Apache Server HOWTO
http://www.tldp.org/HOWTO/SSL-RedHat-HOWTO.html#toc1

Apache-SSL Documentation
http://www.apache-ssl.org/docs.html#SSLCheckClientDN

I hope this answers your question and you are able to get back to work
on your project!

Regards,
readersguide-ga

---

Clarification of Answer by readersguide-ga on 02 Jul 2002 07:52 PDT

Ooops! I forgot to include my search terms:
"client certificate using apache"

---

Request for Answer Clarification by dannyrg27ps-ga on 02 Jul 2002 09:27 PDT

What I'm after is a step by step guide that includes details of the
intermediate certs and how to set-up the password file.

I've looked at most the links previously and to be honest thats why I
asked the question.

Danny

---

Clarification of Answer by readersguide-ga on 02 Jul 2002 16:11 PDT

dannyrg27ps,

What operating system are you using? The steps will probably be
different between linux and windows. I'll keep working!

readersguide

---

Clarification of Answer by readersguide-ga on 03 Jul 2002 13:24 PDT

Hi again Danny,

As promised I did some additional digging. Here's what I found:

This page from InstantSSL gives step-by-step instructions for
Installing your Certificate on Apache Mod_SSL. It includes information
on Intermediate Certificates as well.
http://www.instantssl.com/support/cert_installation/mod_ssl.html

Verisign also has instructions
http://www.verisign.com/support/install/apache/v00Mod.html

Search terms in Google:
intermediate certificates mod_ssl
://www.google.com/search?sourceid=navclient&q=intermediate+certificates+mod%5Fssl

For password setup, Essenz Consulting offers a Comprehensive Guide to
Building Apache on FreeBSD and Linux
http://www.essenz.com/support/apache.html
Brief contents are:
1. Getting Started
2. Downloads
3. Building MySQL
4. Building PHP
5. Building SSL
6. Building mod_perl
7. Building Apache

Developer Shed had the following. It presumes the use of MySQL tables.
You didn't mention those details, so if this is incorrect, my
apologies.
http://www.devshed.com/Server_Side/PHP/SoothinglySeamless/page6.html

Directions:
Now it is time to create the mysql tables used to define the
permissions. Make sure you replace "new-password" with something of
your choice, otherwise, new-password will be your root password.
--------------------------------------------------------------------------------#
scripts/mysql_install_db
# cd /usr/local/mysql/bin
# ./safe_mysqld &
# ./mysqladmin -u root password 'new-password'
--------------------------------------------------------------------------------
You can ensure that MySQL is working by running some simple tests to
verify that the server is working. The output should be similar to
what is shown below:

--------------------------------------------------------------------------------
# BINDIR/mysqlshow -p
Enter password: + -------------------- + 
| Databases | 
+ -------------------- + 
| mysql | 
+ -------------------- + 

--------------------------------------------------------------------------------

Once you install MySQL, it will automatically create two databases.
One is the mysql table which controls users, hosts, and database
permissions in the actual server. The other is a test database. We
could use the test database, however, we want to give you a quick and
simple overview of some of the command line options available with
MySQL. Also, this will ensure that root has been set up with full
access to the database server (i.e. root has permission to create
databases, tables, etc.) We will create a "test2" database that we
will use later for our testing after logging into the MySQL server.

--------------------------------------------------------------------------------
#mysql -u root -p
Enter password:
mysql> show databases; + -------------------- + 
| Database | 
+ -------------------- + 
| mysql | 
| test | 
+ -------------------- + 
2 rows in set (0.00 sec) 
mysql> create database test2; 
Query OK, 1 row affected (0.00 sec) 
--------------------------------------------------------------------------------

Now select the test2 database, and create a new table called tst_tbl,
with the two following fields. Field 1, which is an id field which
lets you know the id of the record. Essentially, this is just a row
number for simplicity. The second field is a name field in which you
will store name information about books. The formats for these fields
are.. field 1 (id) is an integer (int) of length 3, and field 2 (name)
is a character (char) field of length 50. We assign id to be the key
for searching and indexing the data.

y NOTE: MySQL commands are not case-sensitive. For example, CREATE and
cReatE will be interpreted the same way. Also, remember to add a
semi-colen after your commands.

--------------------------------------------------------------------------------
mysql> use test2;
Database changed
mysql> CREATE TABLE books (
-> id int(3) not null auto_increment,
-> name char(50) not null,
-> unique(id),
-> primary key(id)
-> );
Query OK, 0 rows affected (0.00 sec)

--------------------------------------------------------------------------------

Now we can verify that indeed everything is correct with the following
commands.

--------------------------------------------------------------------------------
mysql> show tables; + ------------------------------ + 
| Tables in text2 | 
+ ------------------------------ + 
| books | 
+ ------------------------------ + 
1 row in set (0.00 sec) 
mysql> describe books; + ------- + ------------- + ------ + ------ +
---------- + ------------------------ +
| Field | Type | Null | Key | Default | Extra | 
+ ------- + ------------- + ------ + ------ + ---------- +
------------------------ +
| id | int(3) |  | PRI | 0 | auto_increment | 
| name | char(50) |  |  |  |  | 
+ ------- + ------------- + ------ + ------ + ---------- +
------------------------ +
2 rows in set (0.00 sec) 

Search terms in Google:
password setup mod_ssl
://www.google.com/search?sourceid=navclient&q=password+setup++mod%5Fssl

password file mod_ssl
://www.google.com/search?sourceid=navclient&q=password+file++mod%5Fssl

The links in the "password file mod_ssl" list seem to have
instructions for compiling for Microsoft Windows, Mac OS X which may
be of use if you are using something other than Linux. (For the
clarification of Worth-GA).

Since I didn't hear anything further from you Danny, I presume that
you ARE using some flavor of Linux, however, it is NOT a requirement.

I hope these instructions are what you were looking for. My initial
search was based on the information you offered regarding a need for
client certificates, but I'm happy to provide further searches to get
what you need.

Regards,
readersguide

---

Request for Answer Clarification by dannyrg27ps-ga on 04 Jul 2002 10:27 PDT

yes the os is linux redhat 7.x, apache 1.3.26.  no mysql, no php, just
apache web server.  Clients are i.e. 5.5 onwards

Hope that answers the clarification.

Danny

p.s. appreciate the leg work !!!!

---

Clarification of Answer by readersguide-ga on 04 Jul 2002 19:29 PDT

Danny,

It seems from what I've found you should download MySQL to set up the
intermediate certificates for the database (free) from
http://www.mysql.com/downloads/index.html
Information about what MySQL is and does is available at
http://www.mysql.com/products/what_is_mysql.html

PHP (also a free download)
http://www.php.net/downloads.php
"PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
If you are new to PHP and want to get some idea of how it works, try
the introductory tutorial."
(from the top page at http://www.php.net)

I hope that these resources will meet your needs.

Regards,
readersguide

Since he is asking about mod_ssl, he is talking about Apache on *nix.

Hi worth!

I too made an assumption initially that some flavor of linux was being
used, however, as you can see from the title pages on the first
results page, mod_ssl *can* be used with MS Windows and Mac OS X.

Here is my search in google:
password file mod_ssl 
://www.google.com/search?sourceid=navclient&q=password+file++mod%5Fssl

It was in further discussion of the question with my geek-husband that
prompted me to request the OS clarification. I still believe the
question was really based on a linux OS. Hopefully Danny will clear
that up soon!

readersguide