mTLS in Apache HTTPD using a Self-Signed CA and Client Certificates

Overview

This guide walks you through the process of generating a self-signed Certificate Authority (CA) and a client certificate using Keystore Explorer, with certificates stored in PKCS#12 (.p12) format. These certificates will be used to enable mutual TLS (mTLS) authentication in Apache HTTPD for the specific path /access/authn/cert.

Prerequisites

Before you begin, ensure you have:

• Keystore Explorer installed (Download)

• Apache HTTPD installed and configured

Step 1: Create a Self-Signed CA Certificate

1. Open Keystore Explorer and create a new keystore (PKCS#12 format).

2. Click Tools → Generate Key Pair.

3. Select RSA (2048-bit or higher) and click OK.

4. Enter the Distinguished Name (DN) details (e.g., CN=MyCA, O=MyOrg, C=SE).

5. Set the validity period (e.g., 3650 days for 10 years). Press Apply to update the years.

6. Click Add Extensions

7. Click Use Standard Template

8. Select CA and click OK

9. Click OK.

10. Click OK.

11. Keep or change the Alias. Click OK

12. Set a password for the key pair and click OK.

13. Click OK.

14. Save the keystore (myCA.p12).

15. Set a password for the keystore and click OK.

Step 2: Export the CA Certificate

1. Open myCA.p12 in Keystore Explorer.

2. Right-click the CA key pair → Export → Export Certificate Chain.

3. Choose Head Only, X.509 and PEM format and save it as ca.cer.

Step 3: Create a Client Certificate

1. Open myCA.p12 in Keystore Explorer.

2. Right-click the CA key pair → Sign

3. Select Sign new key pair, select (2048-bit or higher) and click OK.

4. Set the validity period (e.g., 3650 days for 10 years). Press Apply to update the years.

5. Enter the Distinguished Name (DN) details (e.g., CN=Client, O=MyOrg, C=SE).

6. Click Add Extensions

7. Click Use Standard Template

8. Select SSL Client and click OK

9. Click OK

10. Click OK.

11. Keep or change the Alias. Click OK

12. Set a password for the key pair and click OK.

13. Right-click the Client key pair → Export → Export Key Pair.

14. Select PKCS#12, set a password for the key pair and the path for the Export File.

15. Click Export.

16. Save the keystore if you would like to keep the client certificate in the keystore.

Step 4: Configure Apache HTTPD for mTLS on /access/authn/cert

1. Copy ca.crt to the Apache configuration directory.

2. Edit the Apache configuration file (httpd.conf or ssl.conf) and add the following configuration:

   Add the ca certificate and disable TLS1.3, add our change the following settings:

   Copy

   SSLCACertificateFile "${SRVROOT}/conf/ca.cer"
   SSLProtocol all -SSLv3 -TLSv1.3
   SSLProxyProtocol all -SSLv3 -TLSv1.3

   Add the Location section:

   Copy

   <Location "/access/authn/cert">
      SSLVerifyClient require
      SSLVerifyDepth  10
      # clear the SSL_* values
      RequestHeader set SSL_CLIENT_CERT ""
      RequestHeader set SSL_CLIENT_VERIFY ""
      # add whatever SSL_* variables needed to pass to web application
      RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
      RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
      RequestHeader add X-Forwarded-Scheme https
   </Location>

3. Restart Apache:

   Copy

   systemctl restart httpd

Step 6: Import the client keystore

1. Import the certificate to the OS using the OS tool.

Conclusion

You have successfully created a self-signed CA, a client certificate, and configured Apache HTTPD for mTLS authentication on the specific path /access/authn/cert using Keystore Explorer, with certificates stored in PKCS#12 (.p12) format.