Create Client Certificate Openssl
Now that we got or server fully configured, it is time to create a client certificate. Following commands should be ran on the client machine to create a Certificate Signing Request (CSR): openssl genrsa -out client.key 4096 openssl req -new -key client.key -out client.csr.
Last week, I was diving in different authentication systems for API's. One of the better ways of authentication is through. This one is a bit is harder to set-up, but sure is secure, manageable and powerful. While searching for documentation on the subject, I was surprised there weren't a lot of good articles. In this article, I will try to explain every step as easy as possible.
Why should I use X.509 authentication?The main advantage is that the client is not sending a username or password to the server. This means that a man-in-the-middle attack is nearly impossible. It is much easier to steal a username/password login, for example by bruteforcing, then stealing a certificate. Because the certificate is signed, it is only possible to connect to the real server. It is possible to revoke and manage these certificates in an easy way.
Configuring the serverClient Certificate authentication can only be done while running HTTPS. So first of all, make sure the server is running HTTPS. This can be done with a self-signed or a signed certificate. Your apache VHost configuration should look more or less like this.
SSLEngine on SSLCertificateFile '/etc/ssl/certs/server.pem' SSLCertificateKeyFile '/etc/ssl/private/server.key' SSLProtocol TLSv1 TLSv1.1 TLSv1.2SSLCipherSuite '.' # When using signed certificates: SSLCertificateChainFile '/etc/ssl/yourDomainName.ca-bundle'Now that you got HTTPS up and running, you should be able to browse to your application through HTTPS. Creating a certification authorityA certification authority (CA) hands out a digital certificate in which the CA says that a public key in the certificate, belongs to the person, organization, server or entity that is mentioned in the certificate. In our example, this will be done based on the e-mail address that is provided in the certificate. The task of the CA is to control the identity of the issuer, so that the client that is using the certificates from the CA can be trusted.First we will need to create the CA private key and certificate.

SSLCACertificateFile '/etc/ssl/certs/ca.crt' SSLVerifyClient optionalSSLVerifyDepth 1 SSLOptions +StdEnvVarsAs you can see the client certificate verification is optional. This will make it possible to add another type of authentication like basic authentication when there is nog client certificate.
The verify depth is set to 1 so that it only accepts certificates signed by the configured CA. Finally, the StdEnvVars are registered so that the additional SSL server variables are available in PHP. Configuring the clientNow that we got or server fully configured, it is time to create a client certificate. Following commands should be ran on the client machine to create a Certificate Signing Request (CSR). Note: it's important to place the crt before the key in the pem file!In above example the CSR was created on the client, to make it clear that the certificate + key should only be known by the client. However, it is perfectly possible to run all these commands on the server and send the pem file to the client who will be using the certificate. This means that the creation of the client certificate can be automated.
You could create your own user interface to make the keys manageable per user of the application. This can for example be done with the built-in extension of PHP. When the certification file is generated on the server, you should transfer this certificate in a trusted way. For example a download over HTTPS in the back-end of your application. Requesting resources with a client certificateOk, we configured our server and requested a client certificate. Now how do I use this certificate to get my resources? The easiest way is the add the ' -cert' attribute to the curl command.
Since we are using Guzzle for HTTP requests, the client configuration will look like this. 'system', 'request.options' = 'cert' = 'client.pem');As you can see it is possible to specify the certificate in the request.options part of the configuration. Another option is the ssl.certificateauthority. This one can be used to specify which CA that should be used. By default the built-in CA file is being used. You can choose to disable ssl verification or add your own ca file.
For example, when using self-signed certificates, you can run following command. Note: This type of authentication only works with HTTPS.!As you can see HTTPS is enforced and authentication will try X.509 authentication by default. When a valid client certificate is found, Symfony will try to match the email that is configured inside the certificate with a user in the clientcertificate user provider.
In this case we are using an in-memory provider that links an e-mail to a security role. X.509 authentication in PHPThat was easy! But how does it work? By adding the 'SSLOptions +StdEnvVars' configuration in Apache, there are some additional ' SSL' environment variables available. These variables contain the email in the client certificate.
Creating a Certificate Authority and Certificates with OpenSSL Creating a Certificate Authority and Certificates withOpenSSL This was written using OpenSSL 0.9.5 as a reference.To start with, you'll need.Compilation and installation follow the usual methods. It's worth while tonote that the default installs everything in /usr/local/ssl.No need to change this (unless you want to).After you have this installed, you may want to edit the OpenSSLconfiguration file with the information for your site so you havepleasant defaults when creating and signing certificates. You'll find thisin /usr/local/ssl/openssl.cnf in the sectionreqdistinguishedname Here you can set the defaults (denotedby the default appended to the variable name). Any settingsthat do not have a default, such as localityName can have oneset by appending default. In this case you'd setlocalityNamedefault.Now, we move on to creating a private Certificate Authority (CA). First,some explanation.
The CA is used in SSL to verify the authenticity of agiven certificate. The CA acts as a trusted third party who hasauthenticated the user of the signed certificate as being who they say.The certificate is signed by the CA, and if the client trusts the CA, it willtrust your certificate.
For use within your organization, a private CA willprobably serve your needs. However, if you intend use your certificates for apublic service, you should probably obtain a certificate from a known CA.In addition to identification, your certificate is also used for encryption.If you're thinking a certificate sounds similar to a PGP key, you're right.They use many of the same methods. Something else PGP and SSL have in commonis the RSA encryption algorithm, which is patented. This patent expires inSeptember of 2000, so after that you'll be free to use tools with the RSAalgorithm (like OpenSSL). Until that time, to legally use RSA you need alicense.
RSA Data Security usually allows non-commercial use of the RSAalgorithm for academic purposes. Creating a private CA. Go to the OpenSSL bin directory( /usr/local/ssl/misc by default). There should be a script called CA.sh (and aCA.pl that does the samestuff). This hides all the gruesome details of how this works. Withoutthe script this is a very annoying process.
Node Js Client Certificate Authentication
su to root. Make sure that the OpenSSL bin directory is in your path./CA.sh -newca.
When prompted for CA filename hit return. Answer the rest of the questions intelligently. The common namewould be how this certificate might be referred to. For example, theEquifax Secure CA uses the common name of Equifax Secure CertificateAuthority.Creating certificates./CA.sh -newreq.
This creates an unsigned certificate request. The procedure is the same as creating a private CA except you'll want touse the name of the host that will use the certificate as the common name(host.domain.com). If they don't match, the client will not like it. You probably don't want to use the same passphrase for this as youdid with the CA./CA.sh -sign.
It will ask for a PEM pass phrase, that's the passphrase you set for theprivate CA you created. This signs the certificate that you just created with the CA youcreated just moments before. You can generate multiple certificates.You'll probably need to. For example, mail.foo.com and www.foo.com each needtheir own certificate.
Create Client Certificate Openssl File
The signed certificate is now in the current directory asnewcert.pem. If you are going to create more, you should renamethis or it will be overwritten be subsequent signatures.Creating client-side certificates. openssl pkcs12 -export -in certs.pem -inkey certs.key -out file.p12 -name 'Client Certificate'.