-2

sorry in advance, this may end up being a long and confused post; because that's where I am: I have been trying to do this for two days and I am confused :P

Context: I have a website (we'll call it www.mysite.com) and I have gotten a valid certificate from a major CA. HTTPS is working fine and the certificate is all kinds of valid.

Objective: I, now, want to issue certificates to the people I am authorizing to use my site so that I can add an extra layer of security to it and let Apache reject unauthorized users before they even see the result of the PHP site or have logged in with those credentials.

What I have done: I have followed at least three different tutorials and read a half a dozen more on how to issue these certificates but, in short, they fail to validate. Most of the tutorials have talked about establishing my own self-signed CA cert, and then using that cert's key to sign additional certificates requested by the users. I have tried this and both Firefox (version 19.02) and IE (version 8 :( ) fail to connect and I don't understand why anymore.

So specific questions:

1. Are the Apache commands wrong? when I include:

    SSLEngine on    
    SSLCertificateFile /etc/path/to/www.mysite.com.crt
    SSLCertificateKeyFile /etc/path/to/www.mysite.com.key
    SSLCACertificateFile /etc/path/to/www.mysite.com.cabundle
    SSLVerifyClient require
    SSLVerifyDepth 10

in my httpd.conf file, the server, appropriately rejects visits that do not have a certificate. However, I have generated what I believe to be a valid certificate for the end user and it is still being rejected. If the files shown above are what were given to me by the major CA (VeriSign), then am I just creating a bad user certificate? What are those apache commands actually checking for?

2. How do the flags for openssl really work? I am creating the user's certificate with:

openssl ca -in ./path/to/usersrequest.csr -cert ./etc/path/to/www.mysite.com.crt -keyfile ./etc/path/to/www.mysite.com.key -out ./path/to/userscert.crt

Am I, perhaps, using the wrong key or something? Should I be using the public or private key that I got from VeriSign's certificate? If I understand what I have read correctly, I should be able to simply issue a new certificate to my end user, signed with the same key that is in my 'official' certificate and it should just work... but it's not :(

I have also tried:

openssl x509 -req -CA /etc/path/to/cert.pem -CAkey /etc/path/to/cert.pem -CAcreateserial -in usersrequest.csr -out user.crt

and I get an error that reads unable to load CA private key... and I don't even know what that means.

In the end, I know these are probably n00b questions and the answer is staring me in the face, but I have been trying to learn about this subject and write the code for two days now and my brain is just fried... I will keep trying, but if anyone out there can point me in the right direction, I'd really appreciate it.

TIA, Kvorak

4

1 に答える 1

0

You need to understand the difference between the CA signing your server certificate, and the self signed one you will use to sign the client certificates of your users.

You supply the first one to Apache HTTPd with the SSLCertificateChainFile directive, and if I understand correctly your setup, you need to specify /etc/path/to/www.mysite.com.cabundle as a parameter.

The second one is supplied with the SSLCACertificateFile directive.

In theory they could be the same, but that would mean that you need to send a certificate request (CSR) to be signed by the major CA for each client certificate you need to issue, because you cannot sign it yourself. You cannot sign it with the server certificate, because it is not an AC but a server certificate, and as such cannot effectively sign other certificate.

What you need to do is generate a self signed CA, supply it to Apache HTTPd with the SSLCACertificateFile, and issue client certificates signed by this CA.

于 2013-03-08T22:29:13.320 に答える