Mutual authentication using Apache and a web client can be tricky. Here, we walk through Apache client certificate authentication and how to do it.
Client certificate authentication refers to a certificate used to authenticate clients in SSL.
All that is taking place here beyond standard SSL is that the server will also authenticate the client that is requesting access.
First, some assumptions must be made to get this up and running. You will need to have the following:
apachectl –M | grep ssl
You should see something like this:
If you don’t have this then you will need to get this enabled in order to continue.
• The certs that you will create and install
Let's begin with the documented steps below:
• The CA has now been created
Create the SSL server's private key.
Create the Apache server CSR.
Sign the Apache server CSR.
• The cert is good for 10 years.
Now, looking at this from the Apache SSL point of view, what we have below is sufficient for one-way or standard SSL communications.
If you need to place it somewhere else, be sure to modify the path for the two SSL directives below.
Either way, change those two directives in your httpd configuration in Path/to/apache/conf/extra/httpd-ssl.conf or in your vhost configuration if that is where you are enabling use of SSL.
This is sufficient for one-way SSL communications.
Let's check Apache and make sure SSL is working properly:
Openssl s_client –connect host.domain.com:443
You should see:
And a bunch of other text and a BEGIN CERTIFICATE block. If you do, all is well.
If this does not work, then you must get SSL in working order before you can continue.
At this point SSL is functioning properly on the Apache web server.
In your SSL configuration file (the local selected above) add the following:
• SSLVerifyDepth 10
• SSLCACertificateFile /path/to/cert/selfsigned-ca.crt
Once again, follow the documented steps below:
Restart Apache with: apachectl restart.
Attempt to access it via https. You will be prevented from doing so without the client side certificate you just created because Apache is looking for it in the exchange.
Add the new certificate bundle (selfsigned-cli.p12) to your keychain on your workstation. Now, in your browser access the https URL once again. You will be challenged with something like this:
Since the certificate is on my keychain, I can simply select it from the list. (Above are three copies of the same not sure how that occurred, just ignore the others.)
After picking the certificate, VIOLA! I now have access via mutual authentication.
That is how to setup mutual authentication using Apache and a web client.
Authentication can be tricky, whether you're using Apache client certificates or microservices.
Authentication is especially important for security in microservices. In our white paper, Wildfly for Microservices Authentication, you'll learn:
Get the White Paper
Enterprise Solutions Architect, OpenLogic by Perforce
Vince has worked in the IT industry for 27 years, as a C developer, a systems administrator, a DBA, and a network engineer. He focuses on infrastructure architecture and open source server technologies, ranging from web servers to authorization technologies like LDAP.