SSL Client Authentication is a process by which a server checks client provided certificate to make an SSL connection. If the client certificate is trusted, then a successful SSL connection is made with server. Else client is denied access to the website.
This is useful when you want only specific clients/people to access your website even by keeping your website public. You can add the SSL Client Authentication in location block as well for Apache to restrict specific paths to allow only SSL Authorized users.
Here are the steps to configure this on Apache server
Apache installed with SSL Module enabled
sudo apt install apache2 -y a2enmod ssl systemctl restart apache2
Generating CA’s and Server Certificates:
openssl req -newkey rsa:2048 -nodes -keyform PEM -keyout selfsigned-ca.key -x509 -days 3650 -outform PEM -out selfsigned-ca.crt
Create the SSL server’s private key:
openssl genrsa -out selfsigned.key 2048
Create the Apache server CSR:
openssl req -new -key selfsigned.key -out selfsigned.csr
Sign the Apache server CSR:
openssl x509 -req -in selfsigned.csr -CA selfsigned-ca.crt -CAkey selfsigned-ca.key -set_serial 100 -days 365 -outform PEM -out selfsigned.crt
You need to fill out the above details as per your domain and Organization policies.
Directory Structure would be as follows
Add the below lines to your Apache configuration to test SSL
SSLCertificateFile "/path/to/selfsigned.crt” SSLCertificateKeyFile "path/to/selfsigned.key”
Check if SSL works by opening website URL in browser/using curl
Begin Mutual Authentication:
Add the below lines to your Apache configuration virtual host for which you want to create SSL Client Authentication
SSLVerifyClient require SSLVerifyDepth 10 SSLCACertificateFile /path/to/cert/selfsigned-ca.crt
Creating Client Certificates:
Generate the client’s private key:
openssl genrsa -out selfsigned-client.key 2048
Create the client CSR:
openssl req -new -key selfsigned-client.key -out selfsigned-client.csr
Sign the client CSR:
openssl x509 -req -in selfsigned-client.csr -CA selfsigned-ca.crt -CAkey selfsigned-ca.key -set_serial 101 -days 365 -outform PEM -out selfsigned-client.crt
Bundle the client’s certificate and client’s key into a p12 pack:
openssl pkcs12 -export -inkey selfsigned-client.key -in selfsigned-client.crt -out selfsigned-client.p12
systemctl restart apache2
Copy the p12 certificate to client machine and install it. You can either install the certificate for whole machine or import only for specific browser the end-user uses.
Now open the website and only people who have client certificate signed by server are allowed to authenticate via SSL and access it.
Use the above commands to generate, sign as many as client certificates needed