Software
Articles
qmail
Window Maker
Cfengine
No Machine
UNIX profile
Rants
Blog
3D
Photos
OpenSSL
CV
Contact

OpenSSL notes

Creating personal certificates and using them for HTTP authentication
=====================================================================
To make a personal certificate (like the ones you can buy from Verisign) we 
simply make a new certificate as usual and export it in pkcs12 format.

openssl genrsa -out me.key -des3 1024
openssl req -new -days 365 -key me.key -out me.csr
./sign.sh me.csr
openssl pkcs12 -clcerts -export -inkey me.key -in me.crt -out me.p12 -descert

You are asked for the private key password and then prompted to enter an 
export password.  This is a different password that is needed when importing 
the cert into your browser.

Importing the certificate
-------------------------
( Netscape: Security -> Certificates -> Yours -> Import a certificate: p12 )
To import the certificate into Netscape 4.x, click the padlock icon at the 
bottom left of the browser window, select Certificates, then Yours and choose 
Import a certificate.  Netscape presents you with a *.p12 fileselector.  Find 
the me.p12 file and import it.  Type the Export Password when requested.

( Mozilla: Preferences -> Priv & Sec -> Certificates -> Manage -> Restore: p12 )
To import the the certificate into Mozille, choose Preferences from the Edit 
menu and select Privacy & Security.  Click Certificates and press the 
Manage Certificates button.  Then hit Restore, browse to the me.p12 file and 
enter the Export Password when requested.

( IE: Internet Options -> Certificates -> Personal -> Import: p12 )
To associate the certificate with your Windows profile (it's available to IE 
and Outlook etc) open the Internet Options control panel item and enter the 
Certificates submenu.  Under Personal, click Import and browse to the me.p12 
file.  Enter the Export Password when required.

( KDE: kcontrol -> Personalization -> Crypto -> Your certs -> Import: p12 )
To associate the certificate with your KDE profile and make it available to 
kmail and konqueror etc, open kcontrol and choose Crypto from the 
Personalization menu.  Under Your Certificates hit Import and locate the me.p12 
file.  Enter the Export Password when required.

Note: konqueror seems to (stupidly) require the Export Password and *not* the 
private key password when presenting the cert to remote sites.  Bad.

Making apache require a valid certificate
-----------------------------------------
If you haven't already done so, add the CA cert in text format to ca-bundle.crt 
so it can be trusted by apache.

openssl x509 -in ca.crt -text >> /etc/ssl/certs/ca-bundle.crt

Now tell apache to require a certificate signed by one of the CAs in the 
ca-bundle.crt list.

SSLCACertificateFile /etc/ssl/certs/ca-bundle.crt
SSLVerifyClient require
SSLVerifyDepth 1

Telling apache to bypass username/password authentication with a certificate
----------------------------------------------------------------------------
* DOES NOT WORK WITH mod_auth_mysql *
We can tell apache to accept a cert as sufficient for authentication to a 
protected resource but fall back to username and password if no cert is 
presented.
To do this we take advantage of mod_ssl's FakeBasicAuth feature, which takes 
the Distinguished Name of the cert and makes a username out of it, with 
password 'password'.
We can use openssl x509 to find out the DN (or subject).

openssl x509 -noout -subject -in crt

Since 'password' hashes to 'xxj31ZMTZzkVA' we need to add that to our 
password file.

openssl x509 -noout -subject -in crt \
| sed 's/^[^ ]* //;s/.*/&:xxj31ZMTZzkVA/' >> /opt/apache/passwords/ssl

Now we add the following rules to our protected resource.

AuthType basic
AuthName "whatever"
AuthUserFile /opt/apache/passwords/ssl
require valid-user
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth

IF the browser presents a cert its DN is checked in the password file.  Normal 
username/password authentication is attempted otherwise.  Put the standard 
htpasswd entries in the same AuthUserFile!

Accepting connections from the internet with a cert
---------------------------------------------------
We can have apache accept connections from arbitrary hosts if they present a 
valid cert and also let in people on specified IPs without one.  In this 
example we will also require a username and password, since that's useful in 
our admin server setting.

Follow the steps above but add these extra directives.

SSLOptions +FakeBasicAuth +StrictRequire
SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
            and %{SSL_CLIENT_S_DN_O} eq "ViaGold Direct Network" \
            and %{SSL_CLIENT_S_DN_OU} in {"Technical staff", "CA"} ) \
             or %{REMOTE_ADDR} eq "203.153.65.252"

SSLOptions +StrictRequire is like mod_auth_XXX_authoritative and stops apache 
falling through to basic authentication if our SSL conditions are not met.  
And those conditions are that a useful cipher is used, that the cert 
organisation is ViaGold, that the organisational unit of the holder is 
techstaff or similar OR that the client address is on our subnet.