2013-03-22, 18:42
Hello!
I hope someone can help me. I'm struggling using Client certificates. Server Certificates are working well as well as Code Signing. Although it took some days to get this to work, now it works fine.
But Client certificates won't work at all.
I'm using Debian 6.0.7 (squeeze), Apache 2.2.16, OpenSSL 1.0.1.
Please find below the steps to create the certificates and my apache configuration.
Thank's for helping me.
************************************************
# CREATE ROOT Certificate
openssl req -x509 -newkey rsa:2048 -out ca.crt -keyout ca.key -days 3650
# CREATE SERVER Certificate
openssl req -newkey rsa:2048 -keyout server.key -out server.req
openssl ca -config ca.cnf -extensions codesigning -in server.req -out server.crt
# REMOVE Passphrase
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
# SIGN Code
openssl cms -sign -binary -noattr -in /var/www-pxe/00\:0c\:29\:41\1\a/loader.iso -signer server.crt -inkey server.key -outform DER -out /var/www-pxe/00\:0c\:29\:41\1\a/loader.sig
openssl cms -sign -binary -noattr -in /var/www-pxe/memdisk -signer server.crt -inkey server.key -outform DER -out /var/www-pxe/memdisk.sig
openssl cms -sign -binary -noattr -in /var/www-pxe/bootstrap.ipxe -signer server.crt -inkey server.key -outform DER -out /var/www-pxe/bootstrap.ipxe.sig
# CREATE CLIENT Certificate
openssl req -newkey rsa:2048 -keyout client.key -out client.req
openssl ca -config ca.cnf -in client.req -out client.crt
# REMOVE Passphrase
cp client.key client.key.org
openssl rsa -in client.key.org -out client.key
# MAKE undionly
make bin/undionly.kpxe EMBED=test.ipxe
make bin/undionly.kpxe EMBED=test.ipxe TRUST=server.crt CERT=client.crt PRIVKEY=client.key
************************************************
Here's my Apache Configuration:
************************************************
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www-pxe
SSLEngine on
SSLOptions +StrictRequire
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLCACertificateFile /var/ipxe/src/client.crt
SSLCertificateFile /var/ipxe/src/server.crt
SSLCertificateKeyFile /var/ipxe/src/server.key
<Directory />
<------>SSLRequireSSL
<------>Options FollowSymlinks
<------>AllowOverride None
<------>
<------>SSLVerifyClient require
<------>SSLVerifyDepth 1
</Directory>
<Directory /var/www-pxe/>
<------>Options Indexes FollowSymLinks MultiViews
<------>AllowOverride None
<------>Order allow,deny
<------>allow from all
</Directory>
BrowserMatch "MSIE [2-5]" \
<------>nokeepalive ssl-unclean-shutdown \
<------>downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
I hope someone can help me. I'm struggling using Client certificates. Server Certificates are working well as well as Code Signing. Although it took some days to get this to work, now it works fine.
But Client certificates won't work at all.
I'm using Debian 6.0.7 (squeeze), Apache 2.2.16, OpenSSL 1.0.1.
Please find below the steps to create the certificates and my apache configuration.
Thank's for helping me.
************************************************
# CREATE ROOT Certificate
openssl req -x509 -newkey rsa:2048 -out ca.crt -keyout ca.key -days 3650
# CREATE SERVER Certificate
openssl req -newkey rsa:2048 -keyout server.key -out server.req
openssl ca -config ca.cnf -extensions codesigning -in server.req -out server.crt
# REMOVE Passphrase
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
# SIGN Code
openssl cms -sign -binary -noattr -in /var/www-pxe/00\:0c\:29\:41\1\a/loader.iso -signer server.crt -inkey server.key -outform DER -out /var/www-pxe/00\:0c\:29\:41\1\a/loader.sig
openssl cms -sign -binary -noattr -in /var/www-pxe/memdisk -signer server.crt -inkey server.key -outform DER -out /var/www-pxe/memdisk.sig
openssl cms -sign -binary -noattr -in /var/www-pxe/bootstrap.ipxe -signer server.crt -inkey server.key -outform DER -out /var/www-pxe/bootstrap.ipxe.sig
# CREATE CLIENT Certificate
openssl req -newkey rsa:2048 -keyout client.key -out client.req
openssl ca -config ca.cnf -in client.req -out client.crt
# REMOVE Passphrase
cp client.key client.key.org
openssl rsa -in client.key.org -out client.key
# MAKE undionly
make bin/undionly.kpxe EMBED=test.ipxe
make bin/undionly.kpxe EMBED=test.ipxe TRUST=server.crt CERT=client.crt PRIVKEY=client.key
************************************************
Here's my Apache Configuration:
************************************************
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www-pxe
SSLEngine on
SSLOptions +StrictRequire
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLCACertificateFile /var/ipxe/src/client.crt
SSLCertificateFile /var/ipxe/src/server.crt
SSLCertificateKeyFile /var/ipxe/src/server.key
<Directory />
<------>SSLRequireSSL
<------>Options FollowSymlinks
<------>AllowOverride None
<------>
<------>SSLVerifyClient require
<------>SSLVerifyDepth 1
</Directory>
<Directory /var/www-pxe/>
<------>Options Indexes FollowSymLinks MultiViews
<------>AllowOverride None
<------>Order allow,deny
<------>allow from all
</Directory>
BrowserMatch "MSIE [2-5]" \
<------>nokeepalive ssl-unclean-shutdown \
<------>downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>