How to set SSL on Apache Server on Windows using Fake Local Certificate Authority

Introduction

This is a tutorial to demonstrate how to setup Apache with SSL/TLS and client authentication utilizing Client Certificate with Private Key in Windows 7 environment. A typical ecosystem for SSL/TLS setup involves three parties. These three parties are Certificate Authority (CA), Server, and Client. Inspiration for this tutorial came from my desire to understand how two way ssl works. Before starting researching my knowledge on SSL was close to none. The result of my research note has been polished to publish this blog post.

Real life examples

For this Tutorial

Certificate Authority (CA)

VeriSign, DigiCert

Fake CA

Server

Apache, Tomcat, SMTP

Apache with XAMPP

Client

Firefox, Internet Explorer

Firefox  and Java

Sandbox

Windows 7 64

Apache for Windows

OpenSSL for Windows

FireFox

Apache

  • In this tutorial XAMPP v 1.8.1 for Windows  has been used to get Apache server. Downlaod XAMPP for Windows from here
  • Install XAMPP by unzipping the zip content.
  • Location of Apache on the laptop that was used for this demo is
    • “S:\servers\xampp\apache”

Firefox

Installed Firefox portable version 20.0.1 for this tutorial.

OpenSSL for Windows

  • Download and install OpenSSL for Windows. For this tutorial Win64 OpenSSL v 1.0.1e is used. Download it from here
  • Install by running the setup exe. For this blog demo the location for OpenSSL for Windows is
    • “S:\apps\OpenSSL-Win64”

Fig: Sequence of communication between server and client to negotiate two way ssl

Steps

  • Open a command prompt in Windows.

  • Change directory to <APACHE_HOME>\conf folder

  • Set environment variables for proper operation of OpenSSL for Windows

    • Example location of installed OpenSSL

    • OPENSSL_HOME = C:\apps\OpenSSL-Win32

  • Set environment variable

    • SET OPENSSL_HOME = C:\apps\OpenSSL-Win32

    • SET OPENSSL_CONF=%OPENSSL_HOME%\bin\openssl.cfg

    • SET PATH=%PATH%;%OPENSSL_HOME%\bin

Generate Certificates

Create the Certificate Authority (CA) for Server

In this tutorial no real CA will be used. A fake certificate authority “CA Server Certificate” will be created on local sandbox laptop.

  • Generate CA key file named ca.key by typing in openssl commands on cmd prompt as below.

openssl genrsa -out ca_server.key 1024
  • Generate certificate signing request ca.csr for CA. Provide CA related information on subject section.

openssl req -new -newkey rsa:1024 -nodes -out ca_server.csr -keyout ca_server.key -subj "/C=US/ST=NY/L=New York/O=CA Server Certificate/OU=IT/CN=www.CAServer.org"
  • Generate CA certificate using csr and sign the certificate using ca.key

openssl x509 -req -days 365 -in ca_server.csr -signkey ca_server.key -out ca_server.crt

Setup the Web Server Certificate

Now certificate for server will be generated.

  • Generate server key file named server.key

openssl genrsa -out server.key 1024

  • Generate server csr

openssl req -new -newkey rsa:1024 -nodes -out server.csr -keyout server.key -subj "/C=US/ST=Texas/L=Austin/O=Server /OU=IT/CN=localhost
  • Generate server certificate having it signed by CA that was generated in previous steps.

openssl x509 -req -days 365 -CA ca_server.crt -CAkey ca_server.key -CAcreateserial -in server.csr -out server.crt

Note: If Self Signed was desired instead of a CA signed certificate.

# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Create the Certificate Authority (CA) for Client

openssl genrsa -out ca_client.key 1024
openssl req -new -newkey rsa:1024 -nodes -out ca_client.csr -keyout ca_client.key -subj "/C=US/ST=TX/L=Austin/O=CA for Client Cert/OU=IT/CN=www.CAforClient.org"
openssl x509 -req -days 365 -in ca_client.csr -signkey ca_client.key -out ca_client.crt

Have the Client Request a Certificate

  • Generate server key file named server.key

openssl genrsa -out client.key 1024
  • Generate client csr

openssl req -new -key client.key -out client.csr -subj "/C=US/ST=Texas/L=Austin/O=Client Iqbal/OU=IT/CN=ClientIqbal"
  • Generate client ertificate having it signed by CA.

openssl x509 -req -days 365 -CA ca_client.crt -CAkey ca_client.key -CAcreateserial -in client.csr -out client_signedby_ca_client.crt

Convert Client

Convert client.crt certificate to make it suitable for use with Firefox browser.

openssl pkcs12 -export -clcerts -in client_signedby_ca_client.crt -inkey client.key -out client_signedby_ca_client.p12
  • provide password

Setup Server Apache

Edit apache configuration file httpd-ssl.conf. For https connection document root is set to “S:/projects/blog_and_howto/htdocs”. For client auth a sub folder “protected_by_client_cert” has been created to demo client certificate authentication process.


	DocumentRoot "S:/projects/blog_and_howto/htdocs"

	<Directory "S:/projects/blog_and_howto/htdocs">
		Options Indexes
		Order allow,deny
		Allow from all

	   SSLRequireSSL
	   SSLVerifyClient require
	   SSLVerifyDepth 1

	SSLEngine on

    SSLCertificateFile		"S:\projects\Eclipse_Juno_Blog\SSLClientWithCert\resources\server.crt"
    SSLCertificateKeyFile	"S:\projects\Eclipse_Juno_Blog\SSLClientWithCert\resources\server.key"
    SSLCACertificateFile	"S:\projects\Eclipse_Juno_Blog\SSLClientWithCert\resources\ca_client.crt"

    ErrorLog "logs/dummy-host.localhost-error.log"
    CustomLog "logs/dummy-host.localhost-access.log" combined

Test using Browser Firefox

Setup Client Firefox

Add CA certificate ca_server.crt

  • Go to Firefox menu item > options > options > Advance

d

  • Click “View Certificates”
  • Select “Authorities” tab
  • Select “Import…” button to select “ca_server.crt” certificate that was created before.
  • Select “Trust this CA to identify websites.” as shown on the following image and click “Ok”

  • ca_server.crt entry should show up as “CA Server Certificate” under “Certificate Name” column.

  • Now select “Your Certificates” tab.
  • Click “Import” button to select Client key with certificate file PKCS12 named “client_signedby_ca_server.p12”

  • Click “Ok”.
  • Now Firefox should be ready to connect to Apache server…

Test

Make sure Apache HTTPD server is running. In ths tutorial XAMPP for windows is used. The console window should look like the following image.

  • Open Firefox and enter url “https://localhost/protectedclient” or whatever you have defined your protected client location on httpd-ssl.conf file inside <VirtualHost>

configuration.

  • Pressing enter button should bring up the following image which will prompt to accept

  •  
  • This is the p12 client certificate that Firefox is requesting to accept.
  • Clicking “Ok” should display the protected html resource.

4 Comments

  1. a January 20, 2014 Reply
  2. Brian Hagerty February 17, 2016 Reply
  3. Markus Ethur January 20, 2017 Reply
  4. klimas January 23, 2017 Reply

Add a Comment

Your email address will not be published. Required fields are marked *