ntroduction This document demonstrates how Apache can be used to control access based on a web client's digital certificate. Three machines are used in this example: A Certificate Authority (CA), running OpenBSD, which validates and signs the client keys, A web server, running OpenBSD and Apache + mod_ssl, which only allows users with certificates signed by the CA to view its protected pages, and The client, running Windows 2000 and IE 5.5, which requests a key with openssl.exe, and attempts to view the pages protected by the web server. Note that in a production environment, the CA should be a separate machine and disconnected from the network. Create the Certificate Authority (CA) On the machine used for the CA, create a directory for its keys: mkdir -p /etc/ssl/ca/private chown -R root:wheel /etc/ssl/ca chmod 700 /etc/ssl/ca/private Next, generate a private key and a certificate request, and then self-sign the certificate. openssl genrsa -out ca.key 1024 openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt Setup the Web Server Certificate On the web server, create a self-signed certificate for SSL requests: openssl genrsa -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Make sure the path(s) to the server certificate are correct in /var/www/conf/httpd.conf. Install the CA Certificate on the Web Server Copy the CA certificate (via floppy) to /var/www/conf/ssl.crt/ca.crt, on the web server. Tell the web server (Apache) where it can find the CA certificate, in httpd.conf: ... SSLCACertificateFile /var/www/conf/ssl.crt/ca.crt ... Require a Certificate for Access Tell Apache which URL (in this case /cert) to require authentication for. httpd.conf: ... SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 10 ... Shutdown and Restart httpd: apachectl stop /usr/sbin/httpd -DSSL Have the Client Request a Certificate On the client, generate a private key and certificate request: openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr -config openssl.cnf OpenSSL for Win32 can be downloaded here. Note that OpenSSL won't be able to obtain a nice pseudo-random sample for its key generation, and will complain. However, it will allow you to specify a document for added entropy with the -rand switch. In testing, I created a file on the OpenBSD machine with dd if=/dev/srandom of=output.txt bs=4096 count=1, copied that file to Windows, and generated a key with openssl genrsa -rand output.txt -out client.key 1024. Have the Authority Sign the Certificate Copy the client request to the CA (via floppy), and sign the client request with the CA's private key: openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt Copy the signed certificate (client.crt) back to the client. Import the Client Certificate Create a PKCS#12 document from the client private key and the signed certificate: openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 Double click client.p12 to import, and select the default values. Finally, attempt to access the protected server pages (e.g. http://www.server.com/cert/). Known Issues The example generates 1024-bit keys. I tried 4096-bits for each key without success. Please drop me a note if you've solved this dilema. References OpenSSL homepage: http://www.openssl.org mod_ssl homepage: http://www.modssl.org Public-Key Cryptography Standards: http://www.rsasecurity.com/rsalabs/pkcs/ X-series Recommendations: X.500 and up: http://www.itu.int//itudoc/itu-t/rec/x/x500up/ Additional Reading Using Certificate Revocation Lists (Apache Week): http://www.apacheweek.com/features/crl Using Client Certificates with stunnel: http://www.stunnel.org/faq/certs.html#ToC1