Q I am building a website (LAMP-based) that will provide sensitive information and store sensitive customer data in the database. The site will be restricted to specific IP addresses but I would like to add certificate based authentication so that every user that is allowed to use the site should have a personal certificate in their browser that would be used in conjunction with their username and password. That way, if someone tried to enter the site from an accepted IP address but did not have the correct username-password- browser certificate combination, they would be rejected. Can you tell if it is possible to do that?
A This is certainly possible. Apache can use SSL to authenticate clients with certificates, as well as to authenticate the server to the client. You will want the latter too, as it is important for your users to know they have connected to the correct server before sending sensitive information. The first step is to put your certificate and its keyfile in Apache's configuration directory, preferably in an ssl subdirectory, and then to add these lines to httpd.conf to activate SSL and give their location:
SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA: +HIGH:+MEDIUM:+LOW:+SSLv2: +EXP:+eNULL SSLCertificateFile conf/ssl/ myserver.crt SSLCertificateKeyFile conf/ssl/ myserver.key
Configure Apache to listen on port 443 (or create a virtual host for this and add the above lines to the virtual host's definition), and Apache will now authenticate the server to clients using your certificate. To authenticate each client with the server, add these lines to httpd.conf (or within a <Directory> container in your virtual host's definition):
SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile conf/ssl/myserver.crt
This will block access to any client that does not have a certificate signed by the server, so you need to create one for each user by running these commands on the server:
openssl genrsa -des3 -out username.key 1024 openssl req -new -key username.key -out username.csr openssl x509 -req -in username.csr -out username.crt -sha1 -CA myserver.crt -CAkey myserver.key -CAcreateserial -days 365 openssl pkcs12 -export -in username.crt -inkey username.key -name "$USER Cert" -out username.p12 openssl pkcs12 -in username.p12 -clcerts -nokeys -info
The export stage will prompt for an 'export password' This is needed, along with the username.p12 file, to install the certificate in the user's browser. The last line simply displays the certificate so you can check that all is well. For maximum security, install the certificate yourself, then the user will not be able to copy it to another machine as they will not know the password.