Two Way SSL Authentication21 Sep 2016
This post demonstrate how to authenticate clients using Certificates. In another words, this post demonstrates the mutual SSL authentication.
Suppose, we have a service running in an application server and we wanted to expose it to outside world through Apache HTTP Server using two way SSL authentication. We would like to do the following
- Redirect requests from Apache HTTP Server to underlying Tomcat/Jetty Servers. This has been discussed here
- Enable SSL for Apache HTTP Server. This has been discussed here
- How to set up two way SSL Authentication. I will discuss this in this post.
What is Mutual SSL Authentication
Mutual SSL authentication or certificate based mutual authentication refers to two parties authenticating each other through verifying the provided digital certificate so that both parties are assured of the others’ identity.
In technology terms, it refers to a client (web browser or client application) authenticating themselves to a server (website or server application) and that server also authenticating itself to the client through verifying the certificate issued by the trusted Certificate Authorities (CAs)
From a high-level point of view, the process of authenticating and establishing an encrypted channel using certificate-based mutual authentication involves the following steps:
- A client requests access to a protected resource.
- The server presents its certificate to the client.
- The client verifies the server’s certificate based on the root certificate authority.
- If successful, the client sends its certificate to the server.
- The server verifies the client’s credentials based on the configured certificate authority.
- If successful, the server grants access to the protected resource requested by the client.
Original source of image
Assuming that our service is ready to accept client requests over SSL. It has been discussed here
We will see how to create client certificate and configure server to accept requests based on client authetication.
Creating client certificate
At Client Side
- Create Client Private Key
openssl genrsa -out client.key 2048
- Generate CSR which we will send to CA for signing
openssl req -new -key client.key -out client.csr
We use the root certificate authority created here to generate Client certificates.
- Signing CSR
openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAserial rootCA.srl -out client.crt -days 500 -sha256
client.crt will be sent to client. Client will use this and generate pkcs12 for use within a browser
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
Importing Client certificate to a browser
In Windows machine, Go to IE, Internet Options, go to the Content tab, then hit the Certificates button. This will take you to the the Windows certificate repository. Import the rootCA.pem (not the key) under Personal.
Server Side Configuration
SSLVerifyClient require SSLVerifyDepth 10
- Uncomment and set CA root certificate file path against
Restart Apache Server, if we hit our service running at
https://localhost/hello, browser will shows us list of available certificates for use.
If we select appropriate certificate, we get response from the service.
We can onboard as many clients we wanted by generating client certificates using our root CA.
But, what if client wants to use their own certificates. How can server accommodate this? Alternatively, we should understand how to handle multiple CAs for validating end user Client Certificates.
There are two approaches through which we can achieve this.
- combining root CAs into one big file and specifying it as
SSLCACertificateFileThis approach is preferable if we have very less number of root CAs to manage.
- Placing root CAs into a directory and generating hash symlinks. This directory should be specified against
Read here for more information on second approach.