Apache web server SSL authentication

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time, being a default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS).

By default the TLS protocol only proves the identity of the server to the client using X.509 certificate and the authentication of the client to the server is left to the application layer. TLS also offers client-to-server authentication using client-side X.509 authentication. As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it’s rarely used in end-user applications.

Mutual TLS authentication (mTLS) is much more widespread in business-to-business (B2B) applications, where limited number of programmatic and homogeneous clients is connecting to specific web services, the operational burden is limited and security requirements are usually much higher as compared to consumer environments. – wikipedia


Create a new directory where we can store the private keys and certificates

sudo su
mkdir /etc/apache2/ssl
cd /etc/apache2/ssl

Generate a self-signed certificate CA

openssl req -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 365 -outform PEM -out ca.cer

Generate private SSL key for the server

openssl genrsa -out server.key 2048

Generate Certificate Signing Request in PKCS#10 format

openssl req -new -key server.key -out server.req

Issue server certificate with serial number 100

openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extensions server -days 365 -outform PEM -out server.cer

server.req is not needed any more

rm server.req

Generete private key for SSL client

openssl genrsa -out client.key 2048

Generate Certificate Signing Request for client

openssl req -new -key client.key -out client.req

Issue a client certificate with serial number 101

openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out client.cer

Save client’s private key and certificate in a PKCS#12 format

openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

Enter a challenge password

Files client.key, client.cer and client.req are no longer needed

rm client.key client.cer client.req

Edit SSL configuration file

sudo nano /etc/apache2/sites-available/default-ssl.conf

Locate and uncomment the following lines

SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/apache2/ssl/ca.cer

Locate and edit the following lines

SSLCertificateFile      /etc/apache2/ssl/server.cer
SSLCertificateKeyFile /etc/apache2/ssl/server.key
Categories: Apache, Debian Tags: , , ,
%d bloggers like this: