# Securing access to a web page using a certificate

## destroyedlolo

Hi all,

I would like to secure a webpage using a certificate but all the tutorials I've found are, or obsolete, or doesn't work.

So what I did based on this post :

1/ created a CA root key

```
openssl genrsa -des3 -out destroyedloloCA.key
```

2/ created a root certificat

```
openssl req -x509 -new -nodes -key destroyedloloCA.key -sha256 -days 3650 -out destroyedloloCA.pem
```

3/ a new private key

```
openssl genrsa -out destroyedlolo.key 2048
```

4/ the corresponding CSR

```
openssl req -new -key destroyedlolo.key -out destroyedlolo.csr
```

5/ the web server certificate

```
openssl x509 -req -in destroyedlolo.csr -CA destroyedloloCA.pem -CAkey destroyedloloCA.key -CAcreateserial -out destroyedlolo.crt -days 3650 -sha256 -extfile destroyedlolo.conf
```

6/ then, I did modified Apache's SSL vhost and the test is successful with all these stuffs.

Now, let's go with client certificate (where the problems begin)

7/ Client private key

```
openssl genrsa -out dlclient.key 2048
```

8/ signature request

```
openssl req -new -key dlclient.key -out dlclient.csr
```

9/ Certificate

```
openssl x509 -extensions v3_ca -req -in dlclient.csr -CA destroyedloloCA.pem -CAkey destroyedloloCA.key  -CAcreateserial -out dlclient.crt -days 3650
```

10/ P12

```
openssl pkcs12 -export -in dlclient.crt -inkey dlclient.key -out dlclient.p12
```

Tried to import this p12 in Firefox as well as destroyedloloCA.pem but connection attempt is failing with an SSL_ERROR_UNKNOWN_CA_ALERT error.

So ... what can I do ?

Thanks

Laurent

----------

## audiodef

I used to use the DIY method, then I decided it was not worth the time and effort. I switched to using Letsencrypt for everything. It's free, recognized by browsers, and will save you time and frustration.

----------

## Hu

As I understand the Let's Encrypt offering, they do not provide, nor plan to provide, client certificates.  They provide server certificates to let a TLS server obtain a certificate matching its DNS name.  They do not provide client certificates used to distinguish individuals within an organization.

destroyedlolo: if I were to guess based on the error message, Apache does not trust your CA, so it cannot verify certificates issued by that CA.

----------

## destroyedlolo

Hi,

It's looking to me the problem is not at Apache side but at Firefox one.

It seems it doesn't trust my CA despite I imported destroyedloloCA.pem.

I've tried to verify the chain using openssl, but it's complaining :

```
 openssl verify -verbose -purpose sslserver -CAfile destroyedloloCA.pem dlclient.p12

unable to load certificate

3069744352:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:708:Expecting: TRUSTED CERTIFICATE

```

I did a grep on "TRUSTED CERTIFICATE" but none of the file I've generated contains this sentence ...

----------

## John R. Graham

 *openssl-verify man page wrote:*   

> Certificates must be in PEM format.

 Try verifying your leaf cert, not the corresponding .p12 file.

Also, shouldn't your -purpose be sslclient to verify the client cert?

- John

----------

## destroyedlolo

I did another try with .crt and .cer certificates and they are all working.

```
 openssl verify -verbose -purpose sslclient -CAfile destroyedloloCA.pem dlclient.crt

dlclient.crt: OK
```

So the question remain : why Firefox disagree ???

----------

## destroyedlolo

Hi,

I'm not giving-up but ... despite many tries, I'm stuck at the same point

Any idea welcome  :Smile: 

Best regards,

Laurent

----------

## John R. Graham

Hi Laurent,

Sorry; somehow this thread dropped off my radar.

A couple of things. A "trusted certificate" is one that the browser can chain up to a known root certificate. When you use the "openssl verify" you are supplying the root with the -CAfile argument. If you haven't supplied your root CA cert to Firefox then your root CA is not "known" and the results you're seeing are expected. You can install your root CA cert in Firefox in the Options / Privacy & Security / Certificates / View Certificates / Your Certificates / Import dialog. After installation of your root CA cert, that particular instance of Firefox will "trust" leaf certificates issued by your root CA.

However, other instances of Firefox will not know about your root CA, just as your instance does not now know about it now. That's why Firefox comes pre-installed with a selection of well known issuing CAs: so that web sites (and other servers that need a chain of trust) can acquire a leaf cert that is already trusted by the major browsers. In addition, the security techniques for strongly protecting your root CA are non-trivial. For most purposes other than a toy or hobby chain of trust, it's best to let the experts provide the leaf cert.

Does this help enough? If not, just ask.   :Wink: 

- John

----------

## Ant P.

It's possible, or at least used to be, to teach the browser to accept your CA (at your own risk: I hope you've set correct DNSname constraints in it) by importing it, after which all leaf certs it signs should be automatically recognised without prompting. I vaguely remember this being much harder in Chromium though, so be warned.

They deliberately make getting there a huge pain in the ass and as confusing as possible, because it's a cross-platform browser, one of the platforms is windows, and windows is a circus of criminals and idiots that constantly find new ways to invoke Murphy's law.

On the other hand, lf you want the cert to work in well-behaved system software, that's different: you put the CA certificate in /usr/local/share/ca-certificates/$yourname.crt and then run update-ca-certificates as root.

----------

## destroyedlolo

Thanks for your replies : I'll test next week and let you know.

And yes, client are both m$ and Unixes as my goal is to protect some webservice call  :Smile: 

----------

