I currently help support several CentOS 7 servers for various clients. I admit that I am not a Linux guru by any stretch. But I can setup a server, install Apache, PHP and MariaDB, install SSL certs, update firewall rules, etc. Basic server needs.
One client needed to add client authentication from a third party, so that when they (the third party) accessed an endpoint within my clients’ website, a certificate would be required. Otherwise all traffic would be blocked. Below is what we did to get this working.
Get the Certificate Chain
In order to get the handshake to work, we had to add their certificate to our server. They sent us their public certificate, but more was required to get it working. We also needed their root certificate, as well as their CA certificate (forgive me if these aren’t the correct phrases – I am far from an encryption expert).
To get this, I went to https://whatsmychaincert.com/ and pasted the certificate they provided in the section “Generate the Correct Chain”. Because I knew I also needed the root certificate, I checked the box to include the root certificate and clicked “Generate Chain.” This prompted for me to download the certificate, which I did.
Install the Certificate
I then took the certificate they gave, along with the bundle I downloaded above, and added them into a single file on the Linux server. The first certifcate was the one they sent, followed by the chain certificates. In the end the file looked similar to the following:
-----BEGIN CERTIFICATE----- MIIHPTCCBiWgAwIBAgIQEi2p8tQPYNiTbfbdltTbIzANBgkqhkiG9w0BAQsFADCB ................................................................ xiSIFBbimeNRH2HvEqaGCIu13jpkBPrRuDqHpyVxqazx -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB ................................................................ MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB ................................................................ jjxDah2nGN59PRbxYvnKkKj9 -----END CERTIFICATE-----
The whole file was saved in /etc/pki/tls/certs/ClientChainFile.crt. I then changed the permissions on the file so only root could see it.
$ chmod 600 ClientChainFile.crt
I then edited the Apache SSL config file (/etc/httpd/conf.d/ssl.conf) and added a few things. I uncommented out the line SSLCACertificateFile and set it to the new file we just added.
SSLCACertificateFile /etc/pki/tls/certs/ClientChainFile.crt
Next we added the directory we wanted to protect in the <Location> directive.
<Location /api/protected/>
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate
</Location>
Once done I verified that the configuration was OK and reloaded Apache.
$ apachectl –t
$ systemctl reload httpd
I verified the browser didn’t throw any errors, and then verified the install via the Qualsys SSL checker: https://www.ssllabs.com/ssltest/index.html
Once I knew it was installed OK we asked the third party to verify and all was well!
Note: We also had to set the value for SSLCertificateChainFile in our configuration.