Apache Security - Ivan Ristic [58]
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 23 17:25:01 2004 GMT
Not After : Jul 23 17:25:01 2005 GMT
Subject:
countryName = GB
localityName = London
organizationName = Apache Security
commonName = www.apachesecurity.net
emailAddress = webmaster@apachesecurity.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
63:65:EB:29:0E:58:69:5B:A1:5D:CB:2D:EC:52:DE:8C:53:
87:0F:B5
X509v3 Authority Key Identifier:
keyid:F8:2D:16:DB:72:84:49:B5:D5:E5:51:FE:D8:18:54:
E5:54:09:FC:E8
DirName:/C=GB/L=London/O=Apache Security/CN=Apache Security
CA/emailAddress=ca@apachesecurity.net
serial:00
Certificate is to be certified until Jul 23 17:25:01 2005 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
You can also create a private key and a CSR on the spot (which you may do if you are the only person in charge of certificates). When the private key needs a passphrase, use the -newreq switch:
# CA.pl -newreq
When a private key without a passphrase is needed, use the -newreq-nodes switch:
# CA.pl -newreq-nodes
Now you can again use the CA.pl -signreq command to create a certificate.
Issuing Client Certificates
To create a passphrase-protected client certificate, execute the following two commands in sequence:
# CA.pl -newreq
# CA.pl -signreq
Most client applications (typically browsers) require the certificate to be supplied in PKCS12 format. The following line will take the certificate from the file newcert.pem and create a file newcert.p12. You will be asked to enter an export password to protect the file. Whoever attempts to import the certificate will be required to know this password.
# CA.pl -pkcs12
Revoking Certificates
Certificate revocation is a simple operation. To perform it you need the certificate you intend to revoke. OpenSSL keeps copies of all issued certificates in the newcerts/ folder, with filenames that match certificate serial numbers. To locate a certificate, open the index.txt file and search for the email address of the user or the web address of the server. Each line in the file, represented by the following two lines, corresponds to one issued certificate:
V 050723172501Z 01 unknown /C=GB/L=London/O=Apache
Security/CN=www.apachesecurity.net/emailAddress=webmaster@apachesecurity.net
The third token on the line is the serial number. After locating the correct serial number, revoke the certificate with that serial number:
# cd /opt/openssl
# openssl ca -revoke ./demoCA/newcerts/01.pem
In step two of certificate revocation, generate a Certificate Revocation List (CRL). The CRL is a signed collection of all revoked certificates. All CAs are required to publish revocation lists on a regular basis.
# openssl ca -gencrl -out demoCA.crl
In step three, you need to distribute the CRL to all your web servers. A good idea is to place it on a web server somewhere. Have a cron job on every other web server that compares the CRL on the web server that always contains the most up-to-date CRL with the local version. If they are different, it should update the locally stored copy and restart Apache to make changes active.
Using Client Certificates
After all our hard work, using client certificates consists of adding a few lines to the httpd.conf file on each web server to be used for SSL communication:
# CA certificate path
SSLCACertificateFile /usr/local/apache2/conf/ssl/demoCA.crt
# Certificate revocation list path
SSLCARevocationFile /usr/local/apache2/conf/ssl/demoCA.crl
# Clients are required to have valid certificates
# in order to access the web site
SSLVerifyClient require
# Client certificates are accepted as valid only
# if signed directly by the CA given above
SSLVerifyDepth 1
It is important to have only one CA known to the Apache installation