使用智能卡进行SSL客户端身份验证

Question

我已将Apache配置为需要客户端证书才能访问 资源通过端口443上的SSL使用：

<VirtualHost _default_:443>

  [other stuff]

    SSLEngine on

    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

    SSLCertificateFile /PATH_TO_CERTS/server.crt
    SSLCertificateKeyFile /PATH_TO_PRIVATE/server.key
    SSLCACertificateFile /PATH_TO_CERTS/ca.cer

    SSLVerifyClient require
    SSLVerifyDepth  10
    SSLOptions +StdEnvVars +ExportCertData

  [other stuff]

</VirtualHost>

当我建立自签名CA并使用它来颁发客户端证书时 对于客户端我没有问题，实现了SSL客户端身份验证。

然而，我真正想做的是要求客户端证书 由第三方信任的CA颁发，该CA颁发了所述证书 智能卡的形式。所以，我所做的就是改变SSLCACertificateFile 到/PATH_TO_CERTS/ca-bundle.crt，其中包含一组CA证书 包括中间智能卡颁发CA及其根CA.该 这些CA的主题和发行人价值是：

  Root CA:
    subject= /C=US/O=U.S. Government/OU=EXAMPLE DEPARTMENT/OU=Certification Authorities/OU=EXAMPLE DEPARTMENT Root CA
    issuer= /C=US/O=U.S. Government/OU=EXAMPLE DEPARTMENT/OU=Certification Authorities/OU=EXAMPLE DEPARTMENT Root CA

  Intermediate CA issuing cert:
    subject= /C=US/O=U.S. Government/OU=EXAMPLE AGENCY/OU=Certification Authorities/OU=EXAMPLE AGENCY Operational CA
    issuer= /C=US/O=U.S. Government/OU=EXAMPLE DEPARTMENT/OU=Certification Authorities/OU=EXAMPLE DEPARTMENT Root CA

我希望Apache能够接受来自客户端的有效智能卡证书， 但是我得到以下错误：“证书验证： 错误（20）：无法获得本地颁发者证书“。

我不知道该怎么做。我可能是在做某事吗？ 错误或“SSLVerifyClient require”仅适用于客户端证书 由当地建立的CA发布？

非常感谢对此事的任何见解。

我在RHEL6上运行Apache 2.2。

Answer 1

也许您需要将此行添加到Apache conf中：

SSLCertificateChainFile /PATH_TO_CERSTS/intermediateCA.crt

Answer 2

这是相互认证的配置示例。在证书目录上运行rehash命令很重要。您必须确保拥有已颁发客户端证书的CA的所有证书。必须满足认证链的要求。

如果在此存储库Apache HTTP 2.4 per SmartCard TS-CNS (Tessera Sanitaria - Carta Nazionale Servizi)中有用，您将找到完整的docker容器。

<IfModule mod_ssl.c>
    <VirtualHost _default_:${APACHE_SSL_PORT}>
            ServerAdmin ${APACHE_SERVER_ADMIN}
            ServerName ${APACHE_SERVER_NAME}

            DocumentRoot /var/www/html

            # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
            # error, crit, alert, emerg.
            # It is also possible to configure the loglevel for particular
            # modules, e.g.

            LogLevel ${APACHE_LOG_LEVEL} ssl:${APACHE_SSL_LOG_LEVEL}

            ErrorLog ${APACHE_LOG_DIR}/${APACHE_SERVER_NAME}_error.log
            CustomLog ${APACHE_LOG_DIR}/${APACHE_SERVER_NAME}_access.log "%h %{SSL_PROTOCOL}x %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""

            #   SSL Engine Switch:
            #   Enable/Disable SSL for this virtual host.
            SSLEngine on

            #   A self-signed (snakeoil) certificate can be created by installing
            #   the ssl-cert package. See
            #   /usr/share/doc/apache2/README.Debian.gz for more info.
            #   If both key and certificate are stored in the same file, only the
            #   SSLCertificateFile directive is needed.
            SSLCertificateFile      /etc/ssl/certs/${APACHE_SSL_CERTS}
            SSLCertificateKeyFile /etc/ssl/private/${APACHE_SSL_PRIVATE}


            #   Certificate Authority (CA):
            #   Set the CA certificate verification path where to find CA
            #   certificates for client authentication or alternatively one
            #   huge file containing all of them (file must be PEM encoded)
            #   Note: Inside SSLCACertificatePath you need hash symlinks
            #                to point to the certificate files. Use the provided
            #                Makefile to update the hash symlinks after changes.
            SSLCACertificatePath /etc/ssl/certs/
            #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

            #   Client Authentication (Type):
            #   Client certificate verification type and depth.  Types are
            #   none, optional, require and optional_no_ca.  Depth is a
            #   number which specifies how deeply to verify the certificate
            #   issuer chain before deciding the certificate is not valid.
            SSLVerifyClient require
            SSLVerifyDepth  5

            SSLUserName SSL_CLIENT_S_DN_CN

            #   SSL Engine Options:
            #   Set various options for the SSL engine.
            #   o FakeBasicAuth:
            #        Translate the client X.509 into a Basic Authorisation.  This means that
            #        the standard Auth/DBMAuth methods can be used for access control.  The
            #        user name is the `one line' version of the client's X.509 certificate.
            #        Note that no password is obtained from the user. Every entry in the user
            #        file needs this password: `xxj31ZMTZzkVA'.
            #   o ExportCertData:
            #        This exports two additional environment variables: SSL_CLIENT_CERT and
            #        SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
            #        server (always existing) and the client (only existing when client
            #        authentication is used). This can be used to import the certificates
            #        into CGI scripts.
            #   o StdEnvVars:
            #        This exports the standard SSL/TLS related `SSL_*' environment variables.
            #        Per default this exportation is switched off for performance reasons,
            #        because the extraction step is an expensive operation and is usually
            #        useless for serving static content. So one usually enables the
            #        exportation for CGI and SSI requests only.
            #   o OptRenegotiate:
            #        This enables optimized SSL connection renegotiation handling when SSL
            #        directives are used in per-directory context.
            #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                            SSLOptions +ExportCertData +StdEnvVars
            </FilesMatch>
            <Directory /usr/lib/cgi-bin>
                            SSLOptions +StdEnvVars
            </Directory>
    </VirtualHost>