Index ¦ Archives ¦ Atom

Securing Apache with Client Certificates

Posted on: Thu 23 June 2016

This is the second in a three part series of posts on; Setting up a personal Certification Authority, Securing Apache with Client Certificates, and Setting up FreeRADIUS to secure your WiFi.

So in the previous post we setup a Certification Authority and generated a Client Certificate, now let's use it.

This guide assumes that you have already got Apache running with SSL, and just want to add client certificates.

I've got Deluge with the web UI running on my home server, I've got Apache proxying requests through to it. Deluge does come with a password prompt, but I'd like to add a little extra security for something internet facing so I've set it up to require client certificate to access it.

With Apache it's surprisingly easy to do, just copy the CA certificate (if you followed the example in then it would be ~/ExampleCertificationAuthority-cacert.pem) to somewhere accessible by Apache on the server, I recommend a folder like /etc/ssl/custom then just add the SSLCACertificateFile and SSLVerifyClient options to your Apache config, here is an excerpt from mine.

#This allows any client certificate issued by my Certification Authority
SSLCACertificateFile /etc/ssl/custom/ExampleCertificationAuthority-cacert.pem


################################################################################
# Deluge-web config
################################################################################

ProxyRequests off
ProxyPass /deluge http://127.0.0.1:8112/

<Location /deluge>
    ProxyPassReverse http://127.0.0.1:8112/deluge/
    SSLVerifyClient require
    SSLVerifyDepth 3
    # Further restricts the list of certs to just authorised ones.
    SSLRequire %{SSL_CLIENT_S_DN_Email} eq "michael@xo.tc" \
    or %{SSL_CLIENT_S_DN_Email} eq "example@xo.tc"
</Location>

and restart apache sudo systemctl restart apache2.service

Next you need to load the client certificate into your browser. For Firefox go to Preferences > Advanced > Certificates > View Certificates

Firefox Import Certificate

Then in the Your Certificates tab go to Import ...

Firefox Certificate Manager

and select your certificate, in my case that michael@xo.tc-cert.p12

Firefox Import Certificate Password Prompt

now when you browse to the site you should get a prompt asking for you to identify yourself with a certificate.

Firefox Certificate Prompt

You don't need to secure the server with a certificate signed by the same CA that signs the clients. For example in mine you can see that the server certificate has been signed by StartCom but the client certificate is signed by Example Certification Authority.

Category: Posts – Tags: TLS, Cryptography, OpenSSL, Apache, Deluge

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.