logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: User Certificate Authentication
Author
NivekLR



Joined: 20 May 2018
Posts: 6
Location: France

PostPosted: Sun 20 May '18 10:09    Post subject: User Certificate Authentication Reply with quote

Hello to all,

I am stuck on the configuration of an authentication of users by certificate.

Host: Windows 10 x64
Application: WAMPServer 3.1.3 x64
Apache: 2.4.33
PHP: 7.2.5
MySQL: 5.7.22
OpenSSL: 1.0.1h

My HTTPS access have been configured to use Let's Encrypt certificates

I have configured my slef-signed Root CA and Intermediate CA with OpenSSL.

I have emitted some server and client certificates that are OK (e.g. MySQL "Require SSL" option)

Then I have configured Apache to use my self-signed certificates for user authentication with SSLCADNRequestPath and SSLCADNRequestFile options.

If the SSLVerifyClient is set to optional_no_ca all access is working but if I set this to optional or require I have the following error:
Peer does not recognize and trust the CA that issued your certificate. Error code: SSL_ERROR_UNKNOWN_CA_ALERT

On Apache's log I have the following errors:
- AH02039: Certificate Verification: Error (20): unable to get local issuer certificate
- AH02261: Re-negotiation handshake failed
- SSL Library Error: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

When I test the openssl command openssl s_client -connect url:443 the certificate displayed is the Let's Encrypt one.

Does a configuration permits to force to use my self-signed for user authentication ?

My Root and Intermediate are installed on Windows Certs Store and Firefox Certificates.

Kind regards,

NivekLR
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Sun 20 May '18 20:12    Post subject: Reply with quote

Hello,

maybe the following lines help you?

SSLCACertificateFile conf/ssl.crt/radde-ca-client-chain.crt
SSLVerifyClient require
SSLVerifyDepth 2

I have created my own CA with an intermediate CA for signing the certificates used by the clients.
So I have chained the root-CA's cert and the intermediate-CA's cert into one file and configured this as "SSLCACertificateFile" within apache.

So if you have only a self-signed/self-created CA that is signing the client's certificates then "SSLVerifyDepth 1" should be sufficient, too.

Best regards
Matthias
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU

PostPosted: Mon 21 May '18 10:40    Post subject: Re: User Certificate Authentication Reply with quote

Why are you using self-signed certificates in the chain with Let's Encrypt? Let's Encrypt has its own signed certificates: https://letsencrypt.org/certificates/
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Mon 21 May '18 11:34    Post subject: Reply with quote

@Jan-E:
I believe he is using the Let's-encrypt-certificate on the webserver for encryption.
And the self-signed-certificate is for user-authentication.
Might not be a good idea to do it this way but should be possible.
Back to top
NivekLR



Joined: 20 May 2018
Posts: 6
Location: France

PostPosted: Mon 21 May '18 17:26    Post subject: Reply with quote

That's correct. I am using LE for web access because it's a public authority (no installation required) and my self-signed ones for client authentication to get the authority on my client auth certificates.
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Tue 22 May '18 16:28    Post subject: Reply with quote

@NivekLR:
have you created your own self-signed CA for signing client-certs or do you have created a bunch of self-signed certificates?
Back to top
NivekLR



Joined: 20 May 2018
Posts: 6
Location: France

PostPosted: Wed 23 May '18 12:25    Post subject: Reply with quote

I have created a Root CA and an Intermediate, then I have emitted the users' certificates.

PS: I have tested with my own certificate for web access and I have no error.
So I really think that when the web access and users certificates are not signed by the same root ca the verification not working...

Kind regards,

NivekLR
Back to top
timo



Joined: 03 Jun 2012
Posts: 45
Location: FI, EU

PostPosted: Wed 23 May '18 16:06    Post subject: Reply with quote

NivekLR wrote:

So I really think that when the web access and users certificates are not signed by the same root ca the verification not working...

Kind regards,

NivekLR

I have a LetsEncrypt certificate for my web server,
and a self-signed certificate for client certification.

It works fine.

Client certificate is created with SimpleAuthority ( http://simpleauthority.com/ ).

Use Simpleauthority to create CA and user certificates. Finally, SimpleAuthority creates a .p12 file (includes user certificate + CA if you opt for that). This you have to import to your client computer, that is for each client computer you wish to access the web server using client certificate.

In Apache server (in my setup, version 2.4.33), I have for the web server's certification
1) SSLCertificateFile pointing to chain-file (.pem) created by letsencrypt
2) SSLCertificateKeyFile pointing to key-file (.pem) created by letsencrypt

and for the client certification
3) SSLCACertificateFile pointing to CA-file (.crt) created by SimpleAuthority
4) SSLCARevocationFile pointing to revocation file (.pem) created by SimpleAuthority

Furthermore, I use SSLVerifyClient optional so I can also use username/password in case I access my web server from a PC that does not have the client vertificate installed.
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Wed 23 May '18 18:02    Post subject: Reply with quote

@NivekLR :
so you have (for the client-auth) the same construction as I have Very Happy
But depending on the Browser (found out using tcpdump/Wireshark Rolling Eyes) the intermediate-certificate (that the browser has!) is not submitted to the webserver. So if the webserver only knows about your root-CA and if you are using "SSLVerifyDepth 2" then your webserver does not know the connection between the client-cert and the root-CA-cert Mr. Green.
That is the reason why I chained both the root-CA-cert and the intermediate-cert and used this as "SSLCACertificateFile".
Back to top
timo



Joined: 03 Jun 2012
Posts: 45
Location: FI, EU

PostPosted: Wed 23 May '18 19:39    Post subject: Reply with quote

I don't have any intermediate certificate.
The browser has client certificate (+ key of course, all included in .p12 file), and server has CA-certificate.
For that reason, SSLVerifyDepth 1 (default value) is sufficient in my setup.
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Wed 23 May '18 21:14    Post subject: Reply with quote

@timo
thank you for verification/proofing that encryption-cert and authentication-cert does not need to have the same CA. Good to hear that my guess was correct Mr. Green
Any you are absolutely right - if you don't use intermediate-CAs the "SSLVerifyDepth 1" is working great and absolutely correct.
But as soon as you start using intermediate CAs (as NivekLR and I did) and use "SSLVerifyDepth 2" it is better to store the intermediate CA's certificates within apache's config to avoid the problem of the "missing" intermediate CA-cert as described.
Back to top
NivekLR



Joined: 20 May 2018
Posts: 6
Location: France

PostPosted: Thu 24 May '18 10:53    Post subject: Reply with quote

Thank you very much to all !

I have just understood my error...
In the configuration of apache I set SSLCACertificateFile to the Let's Encrypt's one while it was not necessary because it's public.
So I have set this option to my self-signed chain certificate and it works !

Kind regards,

NivekLR
Back to top


Reply to topic   Topic: User Certificate Authentication View previous topic :: View next topic
Post new topic   Forum Index -> Apache