Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Strong authentication with Apache and certificates issued by you to partners

If you need to protect your extranet access with certificate (site used by third parts), you'll meet the certificates' issuance problematic.

Sure, you could ask your partners to get their own certificate and follow this procedure: Strong authentication with Apache and multi-CA-issued certificates. But they might not be able to get one because it is too complicated / expensive unless one of your suppliers takes charge of the deployment.
The other solution is to deliver the certificate yourself by using an offer such as the TBS X509 PKI. But it implies to create an addressing area in your organization that is not always a good thing.

On the other hand you can use TBS X509 Sign&Login or TBS X509 Email certificates (see client certificates). You can order these certificates for your partners or customers (corporate contact = your partner, technical contact = yourself).

It is possible for you to get through the entire issuance process or to make your partner participate (invitation mode). Example:
  1. Submit the certificate request with us. The generation of the CSR will be done via our Keybot tool (more info ). You can also do it by hand with openssl. Either put the invoice in your name and pay it, or the end user will have to pay it.
  2. Your request is then audited and a vetting phone call is made to the corporate contact.It is important for the corporate contact to know about the certificate issuance.
  3. Generate your certificate in PKCS12 format (.pfx) from the status page of your certificate, "Generate PFX/PEM" button (you can also make it by hand with openssl).
  4. Provide this pkcs#12 to the end user with import instructions in their browser
You can benefit from discount for a minimum of a 3 unit purchase.

Prerequisite: your server must be configured as an SSL server.

In your SSL VirtualHost, place two instructions:
SSLCARevocationPath conf/ssl.crl/
SSLCACertificateFile conf/chain-my-pki.txt
The SSLCARevocationPath instruction concerns the revocation. See Management of revocation lists in Apache to enable the revocation management.
The SSLCACertificateFile instruction describe the certification chain of granteed certificates (so the ones from TBS X509 CA persona
). Consult

Now in an Apache conf repertory, place
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 4
to activate the client certificate request and specifiy the maximum length of the chain.

you can stop there for the configuration and rely on the application to grant access according to each certificate.

you can also a filter such this one:

SSLRequire  %{SSL_CLIENT_I_DN} eq "/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=Terms and Conditions: http://www.tbs-internet.com/CA/repository/OU=TBS INTERNET CA/CN=TBS X509 CA persona" \
and ( ( %{SSL_CLIENT_S_DN_O} eq "ORGANIZATION-NAME" and %{SSL_CLIENT_S_DN_CN} eq "ref1" ) \
or ( %{SSL_CLIENT_S_DN_O} eq "ORG-NAME2" and %{SSL_CLIENT_S_DN_CN} eq "ref2" ) \
or ( %{SSL_CLIENT_S_DN_O} eq "ORG-NAME3" and %{SSL_CLIENT_S_DN_CN} eq "ref3" ) \
)
In this expression, the first line checks the issuance authority (if you followed our procedure and allowed just one authority, the test is useless, but if authorized several CA, this test can be useful).
Then each line checks a reference/ organization couple.

You can also filter other fields (serial number for example). See Apache documentation for available fields.

If you need to grant a great number of certificates, using a sslrequire filter is not optimum. You can use SSL certificate authentication mechanism. To do so, add to your configuration:
SSLOptions           +FakeBasicAuth
AuthName             "Access by certificate"
AuthType             Basic
AuthUserFile         conf/certificats.passwd
require              valid-user
Then in a conf/certificates.passwd file, place:
/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
/C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA
This file is made of the certificate's subject (complete DN) and of :xxj31ZMTZzkVA, a pseudo password, always the same.

To know the subject of a certificate, do:
openssl x509 -subject -noout -in certificate-file.cer