mTLS in Apache HTTPD using a Self-Signed CA and Client Certificates

Creating a Self-Signed CA and Client Certificate Using Keystore Explorer (PKCS#12) for mTLS in Apache HTTPD

Overview

This guide walks you through the process of generating a self-signed Certificate Authority (CA) and a client certificate using Keystore Explorer, with certificates stored in PKCS#12 (.p12) format. These certificates will be used to enable mutual TLS (mTLS) authentication in Apache HTTPD for the specific path /access/authn/cert.

Prerequisites

Before you begin, ensure you have:

Keystore Explorer installed (Download)
Apache HTTPD installed and configured

Step 1: Create a Self-Signed CA Certificate

Open Keystore Explorer and create a new keystore (PKCS#12 format).
Click Tools → Generate Key Pair.
Select RSA (2048-bit or higher) and click OK.
Enter the Distinguished Name (DN) details (e.g., CN=MyCA, O=MyOrg, C=SE).
Set the validity period (e.g., 3650 days for 10 years). Press Apply to update the years.
Click Add Extensions
Click Use Standard Template
Select CA and click OK
Click OK.
Click OK.
Keep or change the Alias. Click OK
Set a password for the key pair and click OK.
Click OK.
Save the keystore (myCA.p12).
Set a password for the keystore and click OK.

Step 2: Export the CA Certificate

Open myCA.p12 in Keystore Explorer.
Right-click the CA key pair → Export → Export Certificate Chain.
Choose Head Only, X.509 and PEM format and save it as ca.cer.

Step 3: Create a Client Certificate

Open myCA.p12 in Keystore Explorer.
Right-click the CA key pair → Sign
Select Sign new key pair, select (2048-bit or higher) and click OK.
Set the validity period (e.g., 3650 days for 10 years). Press Apply to update the years.
Enter the Distinguished Name (DN) details (e.g., CN=Client, O=MyOrg, C=SE).
Click Add Extensions
Click Use Standard Template
Select SSL Client and click OK
Click OK
Click OK.
Keep or change the Alias. Click OK
Set a password for the key pair and click OK.
Right-click the Client key pair → Export → Export Key Pair.
Select PKCS#12, set a password for the key pair and the path for the Export File.
Click Export.
Save the keystore if you would like to keep the client certificate in the keystore.

Step 4: Configure Apache HTTPD for mTLS on `/access/authn/cert`

Copy ca.crt to the Apache configuration directory.

Edit the Apache configuration file (httpd.conf or ssl.conf) and add the following configuration:

Add the ca certificate and disable TLS1.3, add our change the following settings:

SSLCACertificateFile "${SRVROOT}/conf/ca.cer"
SSLProtocol all -SSLv3 -TLSv1.3
SSLProxyProtocol all -SSLv3 -TLSv1.3

Add the Location section:

<Location "/access/authn/cert">
   SSLVerifyClient require
   SSLVerifyDepth  10
   # clear the SSL_* values
   RequestHeader set SSL_CLIENT_CERT ""
   RequestHeader set SSL_CLIENT_VERIFY ""
   # add whatever SSL_* variables needed to pass to web application
   RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
   RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
   RequestHeader add X-Forwarded-Scheme https
</Location>

Restart Apache:
```
systemctl restart httpd
```

Step 6: Import the client keystore

Import the certificate to the OS using the OS tool.

Conclusion

You have successfully created a self-signed CA, a client certificate, and configured Apache HTTPD for mTLS authentication on the specific path /access/authn/cert using Keystore Explorer, with certificates stored in PKCS#12 (.p12) format.

PreviousAdd a Fortified ID virtual host NextScriptEval Examples

Last updated 8 months ago

hashtagOverview

hashtagPrerequisites

hashtagStep 1: Create a Self-Signed CA Certificate

hashtagStep 2: Export the CA Certificate

hashtagStep 3: Create a Client Certificate

hashtagStep 4: Configure Apache HTTPD for mTLS on /access/authn/cert

hashtagStep 6: Import the client keystore

hashtagConclusion