Mutual authentication using Apache and a web client

on Nov 25, 15 • by Vince Cox • with 1 Comment

It's time to demystify this simple task that we often see performed incorrectly...

Home » Open Source, OSS Export » Mutual authentication using Apache and a web client

As a member of the open source support team at Rogue Wave Software, I get a lot of questions and requests for support every day. One task that I commonly see performed incorrectly is mutual authentication using Apache and a web client. I have pulled together this brief walk-through to help you accomplish this task quickly and easily.

It’s time to demystify

All that is taking place here beyond standard SSL is that the server will also authenticate the client that is requesting access.

First, some assumptions must be made to get this up and running. You will need to have the following:

An Apache instance that has mod_ssl enabled. Verification: run the following

 apachectl –M | grep ssl

You should see something like this:

ssl_module (shared)

If you don’t have this then you will need to get this enabled in order to continue.

Proper access. To:

• Apache
• OpenSSL
• The certs that you will create and install

Let’s begin with the documented steps below:

Generate the certificate for the self signed CA. openssl req -newkey rsa:2048 -nodes -keyform PEM -keyout selfsigned-ca.key -x509 -days 3650    -outform PEM -out selfsigned-ca.crt

New items:
• selfsigned-ca.key
• selfsigned-ca.crt
• The CA has now been created

Create the SSL server’s private key.

openssl genrsa -out selfsigned.key 2048

New items:
• selfsigned.key

Create the Apache server CSR.

openssl req -new -key selfsigned.key -out selfsigned.csr

New items:
• selfsigned.csr

Sign the Apache server CSR.

openssl x509 -req -in selfsigned.csr -CA selfsigned-ca.crt -CAkey selfsigned-ca.key -set_serial 100 -days 365 -outform PEM -out selfsigned.crt

New items:
• selfsigned.crt
• The cert is good for 10 years.

Now, looking at this from the Apache SSL point of view, what we have below is sufficient for one-way or standard SSL communications.

Apache configuration Place your certificate and key generated from above into the location below.

If you need to place it somewhere else, be sure to modify the path for the two SSL directives below.

Either way, change those two directives in your httpd configuration in Path/to/apache/conf/extra/httpd-ssl.conf or in your vhost configuration if that is where you are enabling use of SSL.

SSLCertificateFile “/etc/pki/tls/rselfsigned.crt”
SSLCertificateKeyFile “/etc/pki/tls/selfsigned.key”

This is sufficient for one-way SSL communications.

Let’s check Apache and make sure SSL is working properly:

Ensure that the SSL-enabled Apache instance works. Verification: run the following

Openssl s_client –connect

You should see:


And a bunch of other text and a BEGIN CERTIFICATE block. If you do, all is well.

If this does not work, then you must get SSL in working order before you can continue.

At this point SSL is functioning properly on the Apache web server.

Onward to mutual authentication

In your SSL configuration file (the local selected above) add the following:

• SSLVerifyClient
• SSLVerifyDepth 10
• SSLCACertificateFile /path/to/cert/selfsigned-ca.crt

Once again, follow the documented steps below:

Generate the client’s private key. openssl genrsa -out selfsigned-cli.key 2048

New items:
• selfsigned-cli.key

Create the client CSR. openssl req -new -key selfsigned-cli.key -out selfsigned-cli.csr

New items:
• selfsigned-cli.csr

Sign the client CSR. openssl x509 -req -in selfsigned-cli.csr -CA selfsigned-ca.crt -CAkey selfsigned-ca.key -set_serial 101 -days 365 -outform PEM -out selfsigned-cli.crt

New items:
• selfsigned-cli.crt

Bundle the client’s certificate and client’s key into a p12 pack. openssl pkcs12 -export -inkey selfsigned-cli.key -in selfsigned-cli.crt -out selfsigned-cli.p12

New items:
• selfsigned-cli.p12

Now it’s time to test

Restart Apache with: apachectl restart

Attempt to access it via https. You will be prevented from doing so without the client side certificate you just created because Apache is looking for it in the exchange.

Add the new certificate bundle (selfsigned-cli.p12) to your keychain on your workstation. Now, in your browser access the https URL once again. You will be challenged with something like this:

Apache certificate

Since the certificate is on my keychain, I can simply select it from the list. (Above are three copies of the same not sure how that occurred, just ignore the others.)

After picking the certificate, VIOLA! I now have access via mutual authentication.

That is how to setup mutual authentication using Apache and a web client.

In my next segment, I’ll provide a more detailed run through of authentication using a web server, a client, and even a Java Key Store. It will cover cipher and protocols as well – be sure to check back for it!

Learn more:

Educate yourself on the real costs of OSS and the benefits of an enterprise-class support team.
• Curious about clustering? This paper explains options for Apache Tomcat clustering and how to pick the best one.

Related Posts

One Response to Mutual authentication using Apache and a web client

  1. Pankaj Choudhary says:

    Bundle the client’s certificate and client’s key into a p12 pack. After creating this files where to put??

    also after following steps, ai am getting 502 error.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top