web-authentication-using-esign-token-with-simple-authority-ca-and-apache-server-tutorial-windows.pdf
TRANSCRIPT
Tutorial – Windows
Web Authentication
using eSign Token with Simple Authority CA and
Apache Server
an
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
CONTENTS OVERVIEW .......................................................................................................................................1
SCENARIO ........................................................................................................................................2
INSTALL APACHE SERVER FOR WINDOWS (WEB SERVER) ................................................................ 3
INSTALL SIMPLE AUTHORITY PROGRAM. ...................................................................................... 8
GENERATE THE CERTIFICATES ................................................................................................... 11
INSTALL WEBSITE CERTIFICATE .................................................................................................. 21
CONFIGURE WEBSITE TO REQUIRE SSL AND CLIENT CERTIFICATE .................................................... 23
TRUST THE CERTIFICATE ROOT .................................................................................................. 25
WEB AUTHENTICATION USING THE INSTALLED CERTIFICATE IN THE TOKEN ...................................... 27
ABOUT SOFTLOCK .......................................................................................................................... 32
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
1
OVERVIEW This document provides an installation guide step by step providing the user with the needed
information about securing Apache server website by preventing any access except for clients only
have trusted certificate . And how to use the simple authority program in generating certificates for
both the Clients and the server Machine.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
2
SCENARIO
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
3
Install Apache Server for Windows (Web Server)
There is many open source software that provide the installation of Apache server over the
windows environment .the simplest one of them is Xampp. In this step we are going to know how to
use Xampp to install and configure the apache server to run correctly.
1- Download the Xampp windows version from this
http://www.apachefriends.org/en/xampp.html .
2- Double click on the installer exe file Xampp-Win.exe to start the setup process
3- Accept the default installation folder and Click install.
4- After the installation progress bar complete a new window will appear to create shortcut
for the Xampp accept the default value and press enter
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
4
5- In the next step click enter to continue
6- To enable Xampp to work without drive letter accept the default “n” and press enter
7- Now the program will install Apache, SSL , MYSQL and some added features. Press the
return key to continue.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
5
8- Now the program will configure the apache configuration file php.ini with the default
values press return to continue.
9- Installation is now completed enter x then enter to close the installation.
10- Now we have our new apache server installed correctly. To run the server open the start
menu-> all programs and select the Xampp control panel from the Xampp for windows
program.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
6
11- In the opened panel click start button to run the apache server.
12- Now the apache server will run.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
7
13- To be sure that everything is ok open your internet explorer and enter the following link
http://localhost or http://machine_name where machine name is the server computer
name or IP address .
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
8
Install Simple Authority Program.
We will use the simple authority program to create our Certificate Authority and generate
certificates for both the Root ,Server and the clients.
1. Download the Simple authority program from here and then double click the .exe file to
setup the application.
2. Click on the “run” button -> the next step will ask you for the installation folder keep it as
default as we will change it later in the coming steps.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
9
3. Click the “Install” to complete the setup and after the successful installation message
appear let the “Run Simple Authority “ box checked so that the application run
automatically after click on the “finish” button.
4. Now the “simple authority” will run automaticaly got to “Tools” => “options” to change
the instalation folder.
5. In the new dispalyed frame browse the “General” tab and change the “ Data directory “
path to a new installation path in my case I’ll make it “D:\SA setup” .
6. Note : I have craete the “CA setup :” folde inside the D drive to hold all the output data and
certficates whixh we will ganerate later .
7. Message box will inform you that you will loss all the orevoius craeted data click ok.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
10
8. In the “Identity files “ tab change the “output folder “ to the same path selected above
Don’t forget to close the programe after changing the instalation path so that the changes
can be saved.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
11
Generate the Certificates
In this part we are going to use the simple authority program installed above to create all the
certificates
Root certificate: - to have both the client and server trust each other each of them must have a
certificate trusted by the same root (certificate authority). And each of them must have the root
certificate installed and trusted on his machine .you can think of Root as your government which
give its citizens the passport (Certificates) so that the person who hold this passport is trusted from
anyone who trust the government.
Server Certificate: - This is the certificate the server will use to introduce itself to any client and is
generated by the root mentioned above. The client will trust the server if and only if the server
certificate is generated from a root trusted by the client.
Client Certificate: - this is the certificate the client will use to access the server and this will not
occurs if the certificate is not trusted by the server (generated from a trusted root).
1. Open the “simple authority “program as this is the first time a box will appear asked you to
create new Certificate authority click “Yes”.
2. Enter the Certificate authority required information’s then clock the ”OK” button .
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
12
3. During the creation of the new root a progress par will run. Move the mouse inside the
progress frame or press any random keys on the keyboard to complete the process. The
program is just collect random data for keys generation. After completion a successful
message will be appeared.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
13
4. The new CA is now created with a random information click on the “edited user” button to
edited the CA information’s. Select the certificate type as “Certification authority”.
5. Right clock on the CA name on the user’s window and select “New Certificate”. The
program will ask you about the CA password you have entered in the previous steps .and
ask you to enter a new password for the generated Certificate so that no one can use this
certificate without this password. And a message box will inform you that the generation
completed and the give its path.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
14
6. You will find 2 generated files (.p12 and .cer) double click on the .p12 file to convert the
certificate to .pfx file so that we can use it later to install the CA certificate in both the
client and server machine.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
15
7. In the certificate import wizard click next. You will be asked to enter the certificate
password enter it and select “mark this key as exportable “then click next.
8. In the next step keep the default option “automatically select the certificate store “and
click next then finish. a message box will inform you that the certificate is imported
successfully
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
16
9. To get the root certificate as a .pfx file open your internet explorer select Tools from the
menu bar then select “Internet options “. And open the “Content” tab.
10. In the Certificates frame click the “Certificates” button a new window will appear
containing the system installed certificates.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
17
11. Select the “Personal” tab and click the mouse in the CA certificate in our case it is named
“Softlock CA” and then click the “Export “button.
12. The certificate export wizard will appear click next in the welcome window then select “yes
export the private key”. And click next in the next step keep the defaults for the export file
format and click next.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
18
13. The wizard will ask you to enter the new password for the certificates this password will be
entered later by anyone want to use this certificate. Enter it twice then click next.
14. Then the wizard will ask you to browse for the location where you want the certificate to
be stored select the path and give a name to the file for example “Softlock CA” and click
next then finish.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
19
15. Click ok in the successful message.
16. Now the SoftlockCA.pfx file is stored in the path was given above we will use it in the
coming steps.
17. Back to our simple authority program to generate the Server (Website) certificate and click
the “New user” button and enter the website information .the certificate type must be “SSL
server “ and the user name must be as the server machine name in our case it is “Test”.
then Click the “edit” user button to save the user information.
18. Click the “New Certificate “ button and generate the Server certificate using the actions
from step 5 to 16.
19. After the generating and saving the server certificate as a .pfx file create a new user and
name it client and repeat the steps from 5 to 16 to generate the client certificate. Note that
the certificate type for the client must be “General purpose”.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
20
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
21
Install website Certificate
We are going now to configure the server certificates to be used to identify the server to any client.
In the previous steps we have generated the server.pfx certificate file which is the private server
certificate but in .PFX extension this type of extension combine both the private and public key.for
the apache server we will need a .PEM certificate which spate the server public key in a .CRT file and
the server private key in a .KEY file.
1- in your internet explorer go to the SSL Converter home page to use its services to convert
the certificate format. https://www.sslshopper.com/ssl-converter.html
2- in the opened page click the browse button and select the server.pfx file .enter the
password for the .pfx certificate and press the Convert Certificate button.
3- A new dialog will appear to ask you for the location where to store the server.crt file.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
22
4- Now we have the server.crt file open with any text editor it will appear like this.
5- The file contain both the private key and the public certificate but each of them sperated in
a special section.
6- To get the private key copy and paste the section started by -----BEGIN RSA
PRIVATE KEY----- and ended by -----END RSA PRIVATE KEY-----
7- Paste this section in a new text file and name it server.ky
8- Copy and paste the section started by -----BEGIN CERTIFICATE----- and ended by -----END
CERTIFICATE----- and paste it in a new text file and name it server.crt.
9- Now we have the server public certificate server.crt and the server private key server. key
files.
10- To configure to website server public certificate go to the following path
C:\xampp\apache\conf\ssl.crt .You will find the server default certificate replace it with our
new server.crt file
11- To configure the server private key go to the following location
C:\xampp\apache\conf\ssl.key.You will find the server. Key file replace it with our new
server. Key file.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
23
Configure website to require SSL and Client Certificate
We are going now to configure our web server to work only over the Secure Transport layer SSL
And to require client certificate so that only the users who have a trusted certificate can login to our
website.
1- To configure the server to request SSL open the HTTPD.CONF Apache configuration file
with any text editor you will find it at C:\xampp\apache\conf
2- In the htdocs directory setting add the following directive SSLRequireSSL.
<Directory "C:/xampp/htdocs">
SSLRequireSSL
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI
MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks Includes ExecCGI
#
# AllowOverride controls what directives may be placed in .htaccess
files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
3- Save the httpd.con file with this new settings.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
24
4- To configure the web server to request the client certificate open the HTTP-SSL.CONF file
you will find it at C:\xampp\apache\conf\extra. Open the file with the text editor and
remove the comment symbol (#) from the SSLVerifyClient require and
SSLVerifyDepth 10 directives. To make it as follow:-
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
SSLVerifyClient require
SSLVerifyDepth 10
5- Save the above changes.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
25
Trust The Certificate root
We need to install the Root CA certificate in the Trusted Root Certification Authorities store on the
Web server machine. This allows the Web server to trust the Web site certificate installed on the IIS
Web site. Using the Simple Authority program we obtained the Certificate authority Private
certificate in the .PFX format we will need to convert it to the .CRT format to get the Root publice
certificate .CRT to be compatible with the Apache settings.
1- Open the SSL converter website https://www.sslshopper.com/ssl-converter.html
2- Browse to the Root public .PFX certificate ,enter the certificate password and press the SSL
convert button.
3- You will get the ROOT .CRT certificate open it with any text editor and copy the Public
certificate section and save it into with text editor with name server-ca.crt
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIGASb7NLkMMA0GCSqGSIb3DQEBBQUAMDoxCzAJBgNVBAYT
AkVHMQ0wCwYDVQQKDARSb290MQ0wCwYDVQQLDARSb290MQ0wCwYDVQQDDARSb290
MB4XDTEwMDIyMzE0MjIwMVoXDTIwMDIyNDE0MjIxNFowOjELMAkGA1UEBhMCRUcx
DTALBgNVBAoMBFJvb3QxDTALBgNVBAsMBFJvb3QxDTALBgNVBAMMBFJvb3QwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD2eoR+PrcIE9UH18iU+jRvQhb0
QqIeoMAEc7ryHKahFg15cZD1LtSUYGhv3Vm0LJyOo53J0Cftc12UWdpAOAgzOG7J
Pi/3CB7N1HUpSc184KbZii/ZJXDpsfZuAEKtLHcJ61ExPO7ZMqfowtbKc9u3V8MX
mNkToWYxHTKzkYrFQC32V3FAB0nepqvZtigTb5NSWL8KbSEm5qqv01GWd5B7zJHc
MdF1rKwBEsFSH32+779s0eAMWcXu6fPhz2wApQ8zx5kXthruLnv27x4Dg35/rWJt
VOP9uxXQbNWPMh1u6o/tTb2jdP+40sgXv/SPiVhOlSHpkVKDvA8cHcr2gin/AgMB
AAGjYDBeMB8GA1UdIwQYMBaAFAmHUi3Yx3LuflnKLW1Ub3Cm5eODMB0GA1UdDgQW
BBQJh1It2Mdy7n5Zyi1tVG9wpuXjgzAOBgNVHQ8BAf8EBAMCAYYwDAYDVR0TBAUw
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAR5l5CnzS4WRv7Nl0CY0npfczprvf7nGF
s8ENtjGQzb/MqCD+OPftk5Hh5H4eyei3N3dlmwZX7KAK0Im5xRM5UR4WWAVBvLB9
SHdaJPCyeEKHc9eGEFb4RTHAjugSsE86D1Gwwd+1et+0TVYXfEVJ8ZTxaDFrRIf7
KaT/1tpTZqHrq06WhyFBYE3AeoIhrPSN+LXr1582Mwq4hGkxdrhULSPqU59u7IZ9
HLhN9cD9AnMyQs6q9x3DqNPqhKLIqdkbid7BEjfSEGS0KEvPFOHdiLr5c/zJu7g0
BStkeXwpu89Qmg4iB7Uu3QkNHTuhaY+QAa5senOJHabXnzFPuTj8rw==
-----END CERTIFICATE-----
4- Copy the new server-ca.crt file and place it at C:\xampp\apache\conf\ssl.crt
5- Copy the same file and place it at the same location C:\xampp\apache\conf\ssl.crt but this
time with the name ca-bundle.crt.
6- open the httpd-ssl.cong file again and remove the comment symbol (#)from the following
directives :-
SSLCertificateChainFile "conf/ssl.crt/server-ca.crt"
SSLCACertificateFile "conf/ssl.crt/ca-bundle.crt"
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
26
7- To make this section like
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile "conf/ssl.crt/server-ca.crt"
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "conf/ssl.crt"
SSLCACertificateFile "conf/ssl.crt/ca-bundle.crt"
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
27
Web Authentication Using the Installed Certificate in the Token
Now we’re ready to see if our settings actually work! Perform the following steps to connect to the
secure Web site:
1. Before the user can log in to the website the user certificate must be placed in the user
Smart Token.
2. Plug in the user smart token then Double click the client.pfx certificate a certificate import
wizard will be appeared click next then next.
3. The wizard will ask you to enter the certificate password that we entered before during the
certificate generation enter it and select “Mark this key as exportable” then click next.
4. Accept the defaults in the certificate store window and click next then finish.
5. You will be asked for the place to store the certificate select “Softlock certificate store “
then click ok
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
28
6. The token will ask you to enter the User PIN to insure that only the token owner can store
certificates on it . Enter the pin then click ok.
7. A message box will appear to inform you that the Clint certificate stored in the token
successfully
8. Before going to test we have to install the root public certificate at the client machine
9. At the client machine right click on the Root.CER file and select install certificate and
complete with the wizard by click next and yes to trust the new Root
10. Now be sure that the token is connected to the client PC, Open Internet Explorer and enter
the server access link or its IP into the Address bar. And make sure that you use the SSl in
the URL in our case it will be “https://test“. A Client Authentication dialog box appears and
shows a Users certificate in the list. Click the View Certificate button.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
29
11. In the Certificate dialog box choose your certificate and Click OK.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
30
12. You will be asked to enter the password of your token with an on screen keyboard to
provide more security.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
31
13. Now you can browse the secure website.
Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server
32
ABOUT SOFTLOCK Softlock is the world’s leading progressive, innovative, expanding national and international
company in the field of digital security. Our aim is to gain customer satisfaction, on time and every
time. We are established since 1997 to create quality security and to keep the value for what’s
important in your life.
Our high quality service and excellent benefits and the ability of being reliable and responsible put
us as a leader on the top of digital security companies.
Softlock provides unique products and solutions, which cover many security areas fulfilling
customers need in different market sectors. We provide a set of products and solutions covering the
following areas: software protection, data encryption, security hardware, digital signature, secure
identification and authentication, secure online distribution of digital Contents.
Softlock supports different market sectors like; governmental institutes, organizations, banks,
software development companies, multimedia software and game producers, media and eBooks
publishers and individual users.
Softlock value comes from the continuous research, the integrated products, the realistic
implementations, and the successful support since 1997.
Softlock is recognized in the local market as the only owner and provider of digital security services.
Softlock is uniquely identified in the global market by the integrated products and the research
based development.
Website www.softlock.net
Email [email protected], [email protected], [email protected]
Telephone +(202)26702267, +(202)26702269
Fax +(202)26702269