Apache - Create and validate client certificates
Creating client certificates
- Create the client key:
# openssl genrsa -des3 -out garex.key 1024
- Create the client request:
# openssl req -new -key garex.KEY -out garex.CSR
In the common name (CN) fill in your own name, for example "Martin Allert". For organisational unit you can fill in a department.
- Sign the client certificate request and generate the certificate:
# openssl ca -in garex.CSR -cert ../../CA/garexCA.CRT -keyfile \
../../CA/garexCA.KEY -out garex.CRT
- Verify all data has been filled in correctly:
# openssl x509 -in garex.CRT -text
Validating client certificates
How can I authenticate clients based on certificates if I know all my clients?
If you know all your users (i.e. you have a closed group of users), such as with an intranet, you can use a plain certificate authentication. The only thing you need to do is sign a client certificate with your own CA certificate ca.crt and then verify the client against the certificate.
# a client certificate that signs directly is required
# must be in ca.crt with CA certificate
How can I authenticate my clients for a certain URL based on certificates, but give anonymous clients to the rest of the server?
To realise this use the per-directory reconfiguration property of http://httpd.apache.org/docs/2.0/mod/mod_ssl.html