I was asked to do it "Configure SSL Mutual (Two-way) Authentication" and I don't know where to start or how to test it .
server and many clients . they can access code on server only if they have a signed certificate from server . and server can generate those certificates and disable them
here a tutorial but I'm so scared of losing connection with server I'm working on because it's the main server if I re-generate new keys .
do I have to be a root user ?
is there's any bash for this ?
any information would be appreciated .
-
1If you're tasked with setting up security for infrastructure like this, you should start elsewhere. Setting up a secure implementation of client certificate verification when it really matters is not something you should really be doing without prior experience in setting up secure systems.Chris Down– Chris Down2013-04-25 10:10:21 +00:00Commented Apr 25, 2013 at 10:10
-
experience comes when you try to do something . I'm reading about it . just needed guide lines from u guys to not got lost while browsing and searching :)SafeY– SafeY2013-04-25 10:34:56 +00:00Commented Apr 25, 2013 at 10:34
-
Here is a good tutorial to get you started: codeproject.com/Articles/326574/… and a 15 minute guide, monduke.com/2006/06/04/…. In general the setup of 2 way SSL is going to be highly dependent on the technologies you're trying to implement it on, Java, Apache, etc. We'd need that info as well to help narrow the scope. Do you know any of this?slm– slm ♦2013-04-25 11:15:35 +00:00Commented Apr 25, 2013 at 11:15
-
yes , of course :D , is it for apache on a centos serverSafeY– SafeY2013-04-25 11:25:47 +00:00Commented Apr 25, 2013 at 11:25
Add a comment
|
1 Answer
Standard/Usual HTTPS enables you to establish the identity of the server from a common trusted root CA, importing a client's SSL certificate in the browser (that is marked as enabled for authentication) is how you use SSL certs to perform client authentication. The end result is the client browser authenticates the server via HTTPS and the server authenticates the client via the client's authentication certs.
This tutorial describes the process of configuring apache for client ssl authentication/verification, which is the only non-usual part of the process. It's just a set of 3 or 4 directives to add to the virtual host configuration.
As an example (stolen from the jump) you can include the following in your <VirtualHost> configuration:
<Location /cert>
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 10
</Location>
Which forces apache to require SSL Authentication for all URL's underneath /cert (going back as far as ten signing CA's in this case). You can then use SSLCACertificateFile in the Vhost config to change what CA's you accept for signing.
-
Thanks , What's the web server !? I have a server which holds apache and client wants to reach a page on this server . This server will be responsible on generating certificates for clients and signing them . what the third party for ? what am i missing ?SafeY– SafeY2013-04-25 13:13:31 +00:00Commented Apr 25, 2013 at 13:13
-
That tutorial used self-sign certificates to provide you with example. You can skip the "openssl" commands if you're getting your certs from an actual certificate authority.Bratchley– Bratchley2013-04-25 14:27:52 +00:00Commented Apr 25, 2013 at 14:27
-
@Bratchley Should've included the highlights of that link/a summary here of those 3-4 directives so it could've become a resource for future Googlers, like me. That link is broken now. This is essentially a "link-only" answer, and these are discouraged for this very reason.vapcguy– vapcguy2017-09-11 21:27:25 +00:00Commented Sep 11, 2017 at 21:27
-
1@vapcguy you might be having network problems because the link still works for me. But your point about link-only answers is valid (this is one of my first answers IIRC) so I plagiarized the tutorial though and put it into my answer. Still linking the tutorial in question though so the directives can be viewed in context.Bratchley– Bratchley2017-09-13 14:39:34 +00:00Commented Sep 13, 2017 at 14:39
-
@Bratchley Thanks - I've also found my network sometimes blocks certain sites, so this was helpful. Appreciated!vapcguy– vapcguy2017-09-13 20:32:37 +00:00Commented Sep 13, 2017 at 20:32