Server Authentication With Client Certificate X.509


Basics of setting up certificate based authentication on Apache.



Your Server is already configured to use SSL/TLS. This is required because the browser refuses to use its certificate for authentication on an insecure connection.


Creating all the files we need

WARNING: Further investigation has to be made whether this is the optimal way.

WARNING: The key sizes and expiration dates must be adjusted to suite your need.


Create the CA

Create a signing request and signing it with the CA private key

Convert the alice.crt to alice.p12 so a browser knows what to do with it. (Note: On safari the .p12 file has to have a password for the import to work)

Convert the .p12 to .pam so tools like curl can use it


Configuring Apache

copy your CA.pem in a file readable by apache. In my case it is /home/CA.pem but this might differ for your server.

in your virtual hosts configuration file add  SSLCACertificateFile  and  SSLVerifyClient  like shown below.



Finally… we can use it

To use the certificate with curl


To install in Safari on a Mac just double click the .p12 file and follow the instructions

To install on iOS the file can be send by email (messengers don’t work) and installed by tapping on it and following the instructions. If the file is considered a production file it should NOT be send over the internet instead plug in a usb cord and transfer via iTunes.


Leave a Reply

Your email address will not be published.