SSL website encryption AND client-certificate authentication

From n0r1sk software solutions
Jump to: navigation, search

In our example-configuration we have to create three certificates. One certificate for the root-CA, one for the SSL-encryption and one with which we can authenticate to the application.

Create certificates

For better understanding our documentation will go through the whole process of creating the root-CA to the application authentication via a SSL-certificate.

Software requirements:

  • openssl
  • apache

Create the root-CA

At first we have to create a root-CA so that we can create and the server will accept the self-signed SSL-certificate and the self-signed Client-certificate.

mkdir newcerts
echo -ne "01" >serial
echo -ne "01" >crlnumber
touch index.txt
locate openssl.cnf
cp path/openssl.cnf ./ca.cnf
vi ca.cnf

Let's configure the ca.cnf so that we can create the root-CA.

[ CA_default ]

dir = path/newcerts
new_certs_dir = $dir
certificate = $dir/ca.crt
private_key = $dir/ca.key

If you want to save some time during the certificate creation you can configure the following parts in the ca.cnf.

[ req_distinguished_name ]
countryName = ...

Create the ca.key

openssl genrsa -des3 -out ca.key 2048
Enter pass phrase for ca.key:*****
Verifying - Enter pass phrase for ca.key:*****

Create the ca.crt

openssl req -config ./ca.cnf -new -x509 -days 3650 -key ./ca.key -out ./ca.crt
Enter pass phrase for ca.key:*****
Country Name

Create the SSL-certificate

Create the SSL-certificate for the required domain. In our example a dyndns domain called "". We will give the SSL-certificate an expiration time of 730 days.

openssl genrsa -out 1024
openssl req -config ./ca.cnf -new -key -out
Common Name ... =
openssl ca -config ./ca.cnf -days 730 -in -out

After that you will have to enter the pass phrase for the SSL-certificate and apply that you want to sign the certificate. Now, if everything went fine, we have a self-signed SSL-certificate with the filename which you can apply to the apache-server.

Create the Client-certificate

In our example we use a fictive name + the dyndns domain name called "". We will give the Client-certificate an expiration time of 730 days.

openssl genrsa -des3 -out 1024
openssl req -config ./ca.cnf -new -key -out
openssl ca -config ./ca.cnf -days 730 -in -out

To complete the steps we have to get the Client-certificate in p12-format so you can install it on your for example: firefox. If you want to you can apply a pass phrase to your certificate so you will be asked the password each time you want to use the Client-certificate but it is not a must!

openssl pkcs12 -export -in -inkey -certfile ca.crt -out

Enter a password for your Client-certificate or leave it blank if you don't want any. After that you will be asked to enter the export password which you have to enter! Don't leave this one blank!

Additional information

If you want to use the created certificates for apache we recommend to copy the created certificates to the following path.

cp path/ca.crt /etc/ssl/
cp path/ /etc/ssl/
cp path/ /etc/ssl/
cp path/ /etc/ssl/

Configure Apache

This example configuration will you show you how to use the above created SSL-certificate and the Client-certificate to make a SSL encrypted website and authenticate this site with the Client-certificate. For further information and documentation look at the Apache-Documentation<ref></ref>

SSL encryption

Create a virtual host entry which listens on the SSL port. (443) In our example we use the IP address "" and the domain name "" for which we created the SSL-certificate.

  SSLEngine on
  SSLCertificateFile "/etc/ssl/"
  SSLCertificateKeyFile "/etc/ssl/"
  SSLCACertificateFile "/etc/ssl/ca.crt"

SSL client authentication

To only allow access to the website through a Client-certificate you have to update your location entry in the apache configuration.

<Location /test>
  Order deny,allow
  Allow from ALL
  SSLVerifyClient require