PIVKey and Apache Server

 

Client authentication is when a client computer or user attempts to access a directory on the server (for example, a web page in that directory), and the server requires the client to submit a certificate for authentication before the server allows access to the directory. 

https://pivkey.com/test/ is a directory with a test web page on the PIVKey server that is configured to require this type of client certificate authentication.  It is useful to test whether a PIVKey is working as all new PIVKeys are loaded with a default certificate from PIVKey.  When a PIVKey user has their PIVKey inserted and browses to that directory, the server asks for a client certificate.  The PIVKey provides that certificate, the server checks that it's a valid PIVKey certificate, prompts for a PIN, and allows access to the web page.  

This article will show you how to configure an Apache server in this way.

To enable Client Certificate authentication on a directory on your web site, you will first need an SSL certificate for the server.  OpenSSL can be used for this:  to generate a new private key and a certificate signing request (CSR).  See OpenSSL documentation for details, an example request: 

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

That CSR (server.csr) can then be self-signed using OpenSSL (useful for a test environment) or it can be submitted to a Certificate Authority of your choice to be signed, resulting in the server certificate.  In the following example, that server certificate is server.crt and its private key is in server.key. 

The next step is to configure the virtual server.  Depending on your particular server, these statements could be in different folders and even in more than one config file:

 <VirtualHost _default_:443>
  DocumentRoot "/opt/apache2/htdocs/"
  SSLEngine on

<!-- server.crt contains the SSL certificate of the server itself, as seen in the padlock of the browser -->
SSLCertificateFile "/opt/apache2/conf/server.crt"

<!-- server.crt contains the private key of the server certificate above -->
SSLCertificateKeyFile "/opt/apache2/conf/server.key"

<!-- server-ca.crt is a concatenated list of CA certificates trusted by the server for client authentication, in other words, this comes from the CA that issued the certificates the directory will accept -->
SSLCACertificateFile "/opt/apache2/conf/server-ca.crt"

<!-- +StdEnvVars is required only if you want access to the certificate fields -->
SSLOptions +StdEnvVars   

<Directory "/opt/apache2/htdocs/test/">

   <!-- require client certificate authentication -->
    SSLVerifyClient require

   <!-- set the number of levels of CA certs (root+intermediate) for the client certificates -->
    SSLVerifyDepth 3
 </Directory>
</VirtualHost>

If you want to use the default PIVKey client certificates, the server-ca.crt should contain both the root and intermediate certificates from Taglio. You can download the file from: http://ca.pivkey.com/

To display the certificate data on the web page, you can include the SSL_CLIENT certificate field tags. The following is an example PHP page for your server. It should be placed inside the directory that requires the client certificate authentication, in this example /opt/apache2/htdocs/test/.

<?php
if ($_SERVER['HTTPS']) {

  if ($_SERVER['SSL_CLIENT_S_DN']) {
  ?>

<table border="0" cellspacing="1" style="border-collapse: collapse" bordercolor="#111111"  cellpadding="1">
  <tr>
       <tr>
        <td class="TableRow1">Name:</td>
        <td class="TableRow1"><?php echo $_SERVER['SSL_CLIENT_S_DN_CN']; ?></td>
      </tr>
      <tr>
        <td class="TableRow2">Email address:</td>
        <td class="TableRow2"><?php echo $_SERVER['SSL_CLIENT_S_DN_Email']; ?></td>
      </tr>
      <tr>
        <td class="TableRow1">Company name:</td>
        <td class="TableRow1"><?php echo $_SERVER['SSL_CLIENT_S_DN_O']; ?></td>
      </tr>
      <tr>
        <td class="TableRow2">Department:</td>
        <td class="TableRow2"><?php echo $_SERVER['SSL_CLIENT_S_DN_OU']; ?></td>
      </tr>
      <tr>
        <td class="TableRow1">City:</td>
        <td class="TableRow1"><?php echo $_SERVER['SSL_CLIENT_S_DN_L']; ?></td>
      </tr>
      <tr>
        <td class="TableRow2">State:</td>
        <td class="TableRow2"><?php echo $_SERVER['SSL_CLIENT_S_DN_ST']; ?></td>
      </tr>
      <tr>
        <td class="TableRow1">Country:</td>
        <td class="TableRow1"><?php echo $_SERVER['SSL_CLIENT_S_DN_C']; ?></td>
      </tr>
      <tr>
        <td class="TableRow2">Valid From:</td>
        <td class="TableRow2"><?php echo $_SERVER['SSL_CLIENT_V_START']; ?></td>
      </tr>
      <tr>
        <td class="TableRow1">Valid To:</td>
        <td class="TableRow1"><?php echo $_SERVER['SSL_CLIENT_V_END']; ?></td>
      </tr>
      <tr>
        <td class="TableRow2">Serial Number:</td>
        <td class="TableRow2"><?php echo $_SERVER['SSL_CLIENT_M_SERIAL']; ?></td>
      </tr>
      <tr>
        <td class="TableRow1">Issued By:</td>
        <td class="TableRow1"><?php echo $_SERVER['SSL_CLIENT_I_DN_CN']; ?></td>
      </tr>

    </table>
   <?php

   }

  }

 ?>

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk