Implement digital certificate (ICP) authentication in Apache

Asked

Viewed 3,030 times

3

I’m trying to implement Apache authentication through PKI with digital certificates stored in token/smart card.

I am using XAMPP 5.6.8.0-VC11 on a Windows 7 computer.

Following what I found by searching the Internet, I have decrypted the following file settings httpd-ssl.conf in the Apache settings:

SSLVerifyClient require
SSLVerifyDepth  10

From there, when accessing https://localhost, the browser (IE 11, Chrome 43 and FF 38) display the digital certificate selection screen (use an e-CPF in the ICP-Brazil standard, stored in token) and request the password.

After entering the password and pressing ENTER, the behavior in the browsers is as follows:

In IE, I am presented a page with the message :

This page cannot be displayed.

In FF, it keeps loading the page indefinitely.

In Chrome, the message appears:

Certificate based authentication failed ERR_BAD_SL_CLIENT_AUTH_CERT

and clicking on "details" appears:

This server requires an authentication certificate and did not accept that was sent by the browser. Your certificate may have expired or the server does not trust its sender. Try again with a different certificate, if you have one, or you will need to get one valid certificate from another place.

I have tested several additional settings I found on the internet, but nothing works. I have also changed the Windows Internet Options for SSL and TSL, also if successful.

I would like to find out how to implement digital certificate authentication for a more secure login system that is under development.

Has anyone been there or knows how to solve the problem?

  • Does your Apache server recognize the ICP-Brazil root certificate? At first you need to download the ICP-Brazil root(s) certificate(s) and configure your server to specifically accept certificates issued by that particular CA (otherwise, such as webserver would you know which certificates are valid and which are not? ). I have no experience with this type of configuration, but that page (in English) seems to give some examples.

1 answer

2

Problem solved. From the link indicated by mgibsonbr I came to other sites and found that what was missing was to really indicate to Apache what the acceptable certification chain.

I did this by creating a ca-Bundle file and indicating its path in the Sslcacertificatefile directive on httpd-ssl.conf

To create ca-Bundle, I downloaded the entire certification chain (in the case of Certisign), opened each of the *.cer files in Notepad, copied the text and put it in a ca-Bundle.crt file, also in Notepad. The only care, following the guidelines obtained, was to place each of *.cer in the reverse order of the chain, that is, the *.cer root of Icpbrasil was the last one.

Thus, the browser came to accept the client’s certificate (after restarting Apache), but reported that the server’s certificate was unreliable (it was using the standard xampp certificate). To fix this, I added the server.crt as a reliable certificate on the client’s machine (the repository was Trusted Root Certification Authorities).

Now the battle is to take the customer certificate data to use for authentication.

  • Colleague, how do you pass the customer certificate data to the application server? That is, how the application knows who was authenticated in the case of an e-CNPJ?

  • 1

    Could you share your ca-Bundle with the certificate order? I’m trying to get it right here but the check-box does not display these certificates just another certificate I have from Globalsign

  • To see how to get the authentication data see here: http://answall.com/questions/139462/certificado-digital-a3-e-cpf-como-acessar-as-informa%C3%A7%C3%B5es-com-javascript/194946#194946

Browser other questions tagged

You are not signed in. Login or sign up in order to post.