[Solved] Client Certificate Login

[cezihcp]

Hello everyone

I have been trying to implement client certificate authentication for almost two days now with no success.

The main problem I'm facing is the fact that I cannot get the browser to request the certificate.

I have the SSLVerifyClient set to optional_no_ca because If I were to use a CA I would have to add an additional

SSLCACertificateFile witch causes a "Your SSL library does not have support for per-directory CA" error and if

i try to defin a SSLCADNRequestFile it notifies me that "SSLCADNRequestFile is not allowed here"

I have setup SSL with a certificate from Let's encrypt and it works, also I am setup on Tommy

.

My .htaccess file in public_html is defined as so:

 

RewriteEngine On

RewriteCond %{HTTPS} !=on

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

 

SSLVerifyClient optional_no_ca

SSLVerifyDepth 1

SSLOptions +StdEnvVars

I've setup an index file with the following php function:

<?php
function hasValidCert()
{
if (!isset($_SERVER['SSL_CLIENT_M_SERIAL'])
|| !isset($_SERVER['SSL_CLIENT_V_END'])
|| !isset($_SERVER['SSL_CLIENT_VERIFY'])
|| $_SERVER['SSL_CLIENT_VERIFY'] !== 'SUCCESS'
|| !isset($_SERVER['SSL_CLIENT_I_DN'])
) {
return false;
}

if ($_SERVER['SSL_CLIENT_V_REMAIN'] <= 0) {
return false;
}

return true;
};

if (hasValidCert()){
echo 'Pass.';
}else{
echo 'Fail.';
}

 

and tried loading the page in Chrome, Firefox and Internet Explorer neither of which have asked me to provide a certificate

(i have 2 client certificates installed, one that is self-signed and the other signed with a CA certificate made with openssl)

 

Could someone please point out weather I'm doing something wrong or if it's even possible to do this on heliohost?

 

Kriss

 

[Krydos]

How did you create or where did you get your client certificate from in your browser?

[cezihcp]

I created the client certificate via openssl.

 

[Krydos]

I messed around with this a little, but I haven't been able to get it to work yet. I think it might be possible though.

 

The issue that we're probably running into is the server sends the message "Do you have a client certificate? These are the CAs that I consider valid." and the browser goes, "Ummm nope, none of my certificates are signed by a CA that are on that list." So your browser doesn't prompt you, and doesn't send a certificate, and those $_SERVER variables don't get set.

 

I'll fiddle with it some more later.

[cezihcp]

I understand, however does this happen even though it's set to optional_no_ca meaning that the server should not require any of the browsers certificates to be signed by a valid CA.

 

I also tried to add my own CA cert via SSLCACertificateFile and SSLCertificateFile but I get the corresponding errors that:

Your SSL library does not have support for per-directory CA.

 

However, I am very grateful for your invested time and I really do appreciate it.

 

 

 

[Krydos]

You get that error because .htaccess is not a valid context for the directive SSLCACertificateFile http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcacertificatefile

[Krydos]

I got it!

 

Check out https://krydos.heliohost.org/auth/

 

I think I can set it up for you too. PM me the following please:

 

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Post on this thread after you PM me, because I never remember to check my PMs.

[cezihcp]

Sent the PM.

[Krydos]

Ok, I sent you the .p12 file and the password to use it. Download the .p12 file to your computer. If you use chrome open

 

settings >> manage certificates >> import

 

navigate to the .p12 file and open it. It will ask for the password that I sent you. Once that's installed got to

 

http://cezih-net.heliohost.org/

 

and it should pop up the dialog box asking which certificate to use to authenticate. Then from there you can use php $_SERVER variables, etc to build a secure system.

[cezihcp]

Thank you, it does work!

Could you please give some info on how you generated the certificate so I could generate my own certificates

with the relevant client data.

[Krydos]

Um, sure. It's a bit complicated so I don't mind generating your certificates for you.

[cezihcp]

Alright, I'm sure that would be fine for now as I don't expect many users so I'll pm you the details, but would it be possible

to setup a script or something along the lines of that?

[Krydos]

I ran this all on Ubuntu. It should be similar on all distros though. Maybe some different paths. I ran all the following commands as root.

 

Edit your openssl configuration:

# vim /etc/ssl/openssl.cnf

(scroll down to)

[ ca ]
default_ca      = CA_default            # The default ca section

[ CA_default ]

dir             = /etc/ssl/private      # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir                  # default place for new certs.

certificate     = $dir/ca.crt           # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/ca.key           # The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = md5                   # use public key default MD
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = match
commonName              = supplied
emailAddress            = optional

Create your ca script:

# echo '#!/bin/bash' > ca
# chmod 700 ca
# vim ca

#!/bin/bash

echo 11 > /etc/ssl/private/crlnumber
echo 1111 > /etc/ssl/private/serial
openssl genrsa -out /etc/ssl/private/ca.key
openssl req -new -key /etc/ssl/private/ca.key -out /etc/ssl/private/ca.csr
openssl x509 -req -days 3650 -in /etc/ssl/private/ca.csr -signkey /etc/ssl/private/ca.key -out /etc/ssl/private/ca.crt
touch /etc/ssl/private/index.txt
openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7
cp /etc/ssl/private/ca.crt .

Create your user script:

# echo '#!/bin/bash' > user
# chmod 700 user
# vim user

#!/bin/bash

if [ ${#1} -eq 0 ]; then
  echo "Usage: ./user <username>"
  exit
fi
base="/etc/ssl/private"
mkdir -p $base/users/$1/
openssl genrsa -des3 -out $base/users/$1/$1.key 1024
openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr
openssl ca -in $base/users/$1/$1.csr -cert $base/ca.crt -keyfile $base/ca.key -out $base/users/$1/$1.crt
openssl pkcs12 -export -clcerts -in $base/users/$1/$1.crt -inkey $base/users/$1/$1.key -out $base/users/$1/$1.p12
cp /etc/ssl/private/users/$1/$1.p12 .

Run ./ca first and fill in the questions to create your ca.crt file. If everything works this file will be copied to where you're running the ca script from. This file gets uploaded to /home/cezihred/ssl/ca.crt

 

Next run ./user and fill in the questions to create your user.p12 file. If everything works this file will be copied to where you're running the user script from. This user.p12 file gets installed in your client browser.

 

If you mess up somehow, or want to start over entirely I wrote this script to clean things up and start over from scratch. WARNING: This deletes your CA and all of your users:

# echo '#!/bin/bash' > reset
# chmod 700 reset
# vim reset

cd /etc/ssl/private
rm -rf users
rm -f *

Like I said, it's pretty complicated so I really don't mind generating the certificates for you if you need.

[cezihcp]

Ok, I saved the instructions and once again thank you, you're the best !

also I sent the pm for the 2 client certs thanks a bunch!

[Krydos]

I created the two users for you, and their passwords and .p12 files are in the same place as the first certificate. I tested all the certificates to make sure they work with this page which you might find useful: https://cezih-net.heliohost.org/auth.php