Mobile app version of vmapp.org
Login or Join
Welton855

: How to determine the sequence of ordering certificates by browser? I did a Mutual Certificate Authentication implementation with OpenSSL and Apache Web Server on CentOS platform. To simple explanation

@Welton855

Posted in: #Authentication #Browsers #Centos #Https #SecurityCertificate

I did a Mutual Certificate Authentication implementation with OpenSSL and Apache Web Server on CentOS platform. To simple explanation see this diagram:




----------
| Root CA | // Self-Signed Certificate
----------
|
----------
| SiteA CA | // Intermediate Certificate signed by Root CA
----------
| |
-------- --------
| Server1 | | Client1 | //Certificates signed by SiteA CA
-------- --------





in Apache Configuration I edited next:
make a chain crt:

sudo cat server.crt rootca.crt serverCA.crt > server_chain.crt


edit ssl config :

sudo vi /etc/httpd/conf.d/ssl.conf


edit those four lines :

SSLCertificateFile /etc/pki/tls/server.crt
SSLCertificateKeyFile /etc/pki/tls/server.key
SSLCertificateChainFile /etc/pki/tls/server_chain.crt
SSLCACertificateFile /etc/pki/tls/rootca.crt


and to make it (two-way) Mutual Authentication :

SSLVerifyClient require
SSLVerifyDepth 10


Then : restart apache=httpd service :

sudo service httpd restart


you know that you should give your browser root ca certificate and client certificate and while I was doing a Testing I did next:

I removed rootca.crt from browser and noticed that Firefox and Chrome ask me for client certificate confirmation before telling me that the server is not a trusted, while Opera browser acts right, first tell me that it's not trusted and then show me Client certificate information.

I was told that in IIS there's an option for telling the web server which one to ask about first, but I couldn't find that option here in Apache.
Can anybody help ?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Welton855

1 Comments

Sorted by latest first Latest Oldest Best

 

@Deb1703797

This might help you: www.ssllabs.com/ssltest/analyze.html?d=yourwebsite.com
I recently used this to test security. This returns which protocals are used, possible vulnarebilities, keylengths and certificate chain order.

They give you all sorts of information, very useful, I recommend this for everyone, just do a simple check, it's free and only takes a few minutes.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme