Add certificate-based authentication to LAMP server

Q I am building a website (LAMP-based) that will provide sensitive information and store sensitive customer data in the database. The site will be restricted to specific IP addresses but I would like to add certificate based authentication so that every user that is allowed to use the site should have a personal certificate in their browser that would be used in conjunction with their username and password. That way, if someone tried to enter the site from an accepted IP address but did not have the correct username-password- browser certificate combination, they would be rejected. Can you tell if it is possible to do that?

A This is certainly possible. Apache can use SSL to authenticate clients with certificates, as well as to authenticate the server to the client. You will want the latter too, as it is important for your users to know they have connected to the correct server before sending sensitive information. The first step is to put your certificate and its keyfile in Apache's configuration directory, preferably in an ssl subdirectory, and then to add these lines to httpd.conf to activate SSL and give their location:

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:
+HIGH:+MEDIUM:+LOW:+SSLv2:
+EXP:+eNULL
SSLCertificateFile conf/ssl/
myserver.crt
SSLCertificateKeyFile conf/ssl/
myserver.key

Configure Apache to listen on port 443 (or create a virtual host for this and add the above lines to the virtual host's definition), and Apache will now authenticate the server to clients using your certificate. To authenticate each client with the server, add these lines to httpd.conf (or within a <Directory> container in your virtual host's definition):

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile conf/ssl/myserver.crt

This will block access to any client that does not have a certificate signed by the server, so you need to create one for each user by running these commands on the server:

openssl genrsa -des3 -out username.key 1024
openssl req -new -key username.key -out username.csr
openssl x509 -req -in username.csr -out username.crt -sha1
-CA myserver.crt -CAkey myserver.key
-CAcreateserial -days 365
openssl pkcs12 -export -in username.crt -inkey username.key
-name "$USER Cert" -out username.p12
openssl pkcs12 -in username.p12 -clcerts -nokeys -info

The export stage will prompt for an 'export password' This is needed, along with the username.p12 file, to install the certificate in the user's browser. The last line simply displays the certificate so you can check that all is well. For maximum security, install the certificate yourself, then the user will not be able to copy it to another machine as they will not know the password.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar