Implement digital certificate authentication (ICP) in Apache

3

I am trying to implement in Apache PKI authentication with digital certificates stored on the token / smart card.

I'm using XAMPP 5.6.8.0-VC11 on a Windows 7 computer.

Following what I discovered by searching the internet, I uncommented the following settings for the httpd-ssl.conf file in the Apache settings:

SSLVerifyClient require
SSLVerifyDepth  10

From there, by going to the link , the browser (IE 11, Chrome 43 and FF 38) displays the digital certificate selection screen (use a e-CPF in the ICP-Brazil standard, stored in token) and requests the password.

After entering the password and pressing ENTER , the behavior in browsers is as follows:

In IE, I get a page with the message:

  

This page can not be displayed.

In FF, it loads the page indefinitely.

In Chrome, the message is displayed:

  

Certificate-based authentication failed   ERR_BAD_SSL_CLIENT_AUTH_CERT

and clicking "details" appears:

  

This server requires an authentication certificate and did not accept the   which was sent by the browser. Your certificate may have expired or   the server does not trust the sender of it. Please try again with a   certificate, if you have one, or you will need to obtain a   certificate valid from elsewhere.

I have tested several additional settings that I found on the internet, but nothing works. I have also changed the Windows Internet Options for SSL and TSL, also if successful.

I would like to find out how to implement digital certificate authentication for a more secure login system that is in development.

Has anyone had it or do you know how to solve it?

    
asked by anonymous 11.06.2015 / 21:20

1 answer

2

Problem solved. From the link indicated by mgibsonbr I got to other sites and found that what was missing was really telling Apache which chain of certification was acceptable.

I did this by creating a ca-bundle file and indicated its path in the SSLCACertificateFile directive in httpd-ssl.conf

To create the ca-bundle, I downloaded the whole certification chain (in the case of Certisign), I opened in Notepad each of the * .cer files, copied the text and put it in a ca-bundle.crt file, also in Notepad . The only caution, following the guidelines obtained, was to place each of the * .cer in the reverse order of the string, ie the * .cer root of ICPBrasil was the last one.

So, the browser accepted the client's certificate (after restarting Apache) but reported that the server's certificate was not trusted (it was using the default xampp certificate). To fix this, I added server.crt as a trusted certificate on the client machine (the repository was Trusted Root Certification Authorities).

Now the battle is to get the data from the client certificate to use for authentication.

    
12.06.2015 / 14:56