Web-Authentication-using-eSign-Token-with-Simple-Authority-CA-and-Apache-Server-Tutorial-Windows.pdf
Content
Web Authentication using
eSign Token with Simple Authority CA and
Apache Server
Tutorial – Windows
an
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
CONTENTS
OVERVIEW .......................................................................................................................................1 SCENARIO ........................................................................................................................................2
INSTALL APACHE SERVER FOR WINDOWS (WEB SERVER) ................................................................ 3 INSTALL SIMPLE AUTHORITY PROGRAM. ...................................................................................... 8 GENERATE THE CERTIFICATES ................................................................................................... 11 INSTALL WEBSITE CERTIFICATE .................................................................................................. 21 CONFIGURE WEBSITE TO REQUIRE SSL AND CLIENT CERTIFICATE .................................................... 23 TRUST THE CERTIFICATE ROOT.................................................................................................. 25 WEB AUTHENTICATION USING THE INSTALLED CERTIFICATE IN THE TOKEN ...................................... 27
ABOUT SOFTLOCK ..........................................................................................................................32
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
OVERVIEW
This document provides an installation guide step by step providing the user with the needed information about securing Apache server website by preventing any access except for clients only have trusted certificate . And how to use the simple authority program in generating certificates for both the Clients and the server Machine.
1
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
SCENARIO
2
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Install Apache Server for Windows (Web Server)
There is many open source software that provide the installation of Apache server over the windows environment .the simplest one of them is Xampp. In this step we are going to know how to use Xampp to install and configure the apache server to run correctly. 1- Download the Xampp windows version from http://www.apachefriends.org/en/xampp.html . 2- Double click on the installer exe file Xampp-Win.exe to start the setup process 3- Accept the default installation folder and Click install. this
4- After the installation progress bar complete a new window will appear to create shortcut for the Xampp accept the default value and press enter
3
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
5- In the next step click enter to continue
6- To enable Xampp to work without drive letter accept the default “n” and press enter
7- Now the program will install Apache, SSL , MYSQL and some added features. Press the return key to continue.
4
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
8- Now the program will configure the apache configuration file php.ini with the default values press return to continue.
9- Installation is now completed enter x then enter to close the installation.
10- Now we have our new apache server installed correctly. To run the server open the start menu-> all programs and select the Xampp control panel from the Xampp for windows program.
5
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
11- In the opened panel click start button to run the apache server.
12- Now the apache server will run.
6
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
13- To be sure that everything is ok open your internet explorer and enter the following link http://localhost or http://machine_name where machine name is the server computer name or IP address .
7
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Install Simple Authority Program.
We will use the simple authority program to create our Certificate Authority and generate certificates for both the Root ,Server and the clients. 1. Download the Simple authority program from here and then double click the .exe file to setup the application.
2.
Click on the “run” button -> the next step will ask you for the installation folder keep it as default as we will change it later in the coming steps.
8
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
3.
Click the “Install” to complete the setup and after the successful installation message appear let the “Run Simple Authority “ box checked so that the application run automatically after click on the “finish” button.
4. 5. 6. 7.
Now the “simple authority” will run automaticaly got to “Tools” => “options” to change the instalation folder. In the new dispalyed frame browse the “General” tab and change the “ Data directory “ path to a new installation path in my case I’ll make it “D:\SA setup” . Note : I have craete the “CA setup :” folde inside the D drive to hold all the output data and certficates whixh we will ganerate later . Message box will inform you that you will loss all the orevoius craeted data click ok.
9
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
8.
In the “Identity files “ tab change the “output folder “ to the same path selected above Don’t forget to close the programe after changing the instalation path so that the changes can be saved.
10
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Generate the Certificates
In this part we are going to use the simple authority program installed above to create all the certificates Root certificate: - to have both the client and server trust each other each of them must have a certificate trusted by the same root (certificate authority). And each of them must have the root certificate installed and trusted on his machine .you can think of Root as your government which give its citizens the passport (Certificates) so that the person who hold this passport is trusted from anyone who trust the government. Server Certificate: - This is the certificate the server will use to introduce itself to any client and is generated by the root mentioned above. The client will trust the server if and only if the server certificate is generated from a root trusted by the client. Client Certificate: - this is the certificate the client will use to access the server and this will not occurs if the certificate is not trusted by the server (generated from a trusted root). 1. Open the “simple authority “program as this is the first time a box will appear asked you to create new Certificate authority click “Yes”.
2.
Enter the Certificate authority required information’s then clock the ”OK” button .
11
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
3.
During the creation of the new root a progress par will run. Move the mouse inside the progress frame or press any random keys on the keyboard to complete the process. The program is just collect random data for keys generation. After completion a successful message will be appeared.
12
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
4.
The new CA is now created with a random information click on the “edited user” button to edited the CA information’s. Select the certificate type as “Certification authority”.
5.
Right clock on the CA name on the user’s window and select “New Certificate”. The program will ask you about the CA password you have entered in the previous steps .and ask you to enter a new password for the generated Certificate so that no one can use this certificate without this password. And a message box will inform you that the generation completed and the give its path.
13
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
6.
You will find 2 generated files (.p12 and .cer) double click on the .p12 file to convert the certificate to .pfx file so that we can use it later to install the CA certificate in both the client and server machine.
14
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
7.
In the certificate import wizard click next. You will be asked to enter the certificate password enter it and select “mark this key as exportable “then click next.
8.
In the next step keep the default option “automatically select the certificate store “and click next then finish. a message box will inform you that the certificate is imported successfully
15
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
9.
To get the root certificate as a .pfx file open your internet explorer select Tools from the menu bar then select “Internet options “. And open the “Content” tab.
10. In the Certificates frame click the “Certificates” button a new window will appear containing the system installed certificates.
16
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
11. Select the “Personal” tab and click the mouse in the CA certificate in our case it is named “Softlock CA” and then click the “Export “button. 12. The certificate export wizard will appear click next in the welcome window then select “yes export the private key”. And click next in the next step keep the defaults for the export file format and click next.
17
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
13. The wizard will ask you to enter the new password for the certificates this password will be entered later by anyone want to use this certificate. Enter it twice then click next. 14. Then the wizard will ask you to browse for the location where you want the certificate to be stored select the path and give a name to the file for example “Softlock CA” and click next then finish.
18
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
15. Click ok in the successful message.
16. Now the SoftlockCA.pfx file is stored in the path was given above we will use it in the coming steps. 17. Back to our simple authority program to generate the Server (Website) certificate and click the “New user” button and enter the website information .the certificate type must be “SSL server “ and the user name must be as the server machine name in our case it is “Test”. then Click the “edit” user button to save the user information.
18. Click the “New Certificate “ button and generate the Server certificate using the actions from step 5 to 16. 19. After the generating and saving the server certificate as a .pfx file create a new user and name it client and repeat the steps from 5 to 16 to generate the client certificate. Note that the certificate type for the client must be “General purpose”.
19
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
20
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Install website Certificate
We are going now to configure the server certificates to be used to identify the server to any client. In the previous steps we have generated the server.pfx certificate file which is the private server certificate but in .PFX extension this type of extension combine both the private and public key.for the apache server we will need a .PEM certificate which spate the server public key in a .CRT file and the server private key in a .KEY file. 1- in your internet explorer go to the SSL Converter home page to use its services to convert the certificate format. https://www.sslshopper.com/ssl-converter.html 2- in the opened page click the browse button and select the server.pfx file .enter the password for the .pfx certificate and press the Convert Certificate button.
3- A new dialog will appear to ask you for the location where to store the server.crt file.
21
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
4- Now we have the server.crt file open with any text editor it will appear like this.
5- The file contain both the private key and the public certificate but each of them sperated in a special section. 6- To get the private key copy and paste the section started by -----BEGIN RSA PRIVATE KEY----- and ended by -----END RSA PRIVATE KEY----7- Paste this section in a new text file and name it server.ky 8- Copy and paste the section started by -----BEGIN CERTIFICATE----- and ended by -----END CERTIFICATE----- and paste it in a new text file and name it server.crt. 9- Now we have the server public certificate server.crt and the server private key server. key files. 10- To configure to website server public certificate go to the following path C:\xampp\apache\conf\ssl.crt .You will find the server default certificate replace it with our new server.crt file 11- To configure the server private key go to the following location C:\xampp\apache\conf\ssl.key.You will find the server. Key file replace it with our new server. Key file.
22
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Configure website to require SSL and Client Certificate
We are going now to configure our web server to work only over the Secure Transport layer SSL And to require client certificate so that only the users who have a trusted certificate can login to our website. 1- To configure the server to request SSL open the HTTPD.CONF Apache configuration file with any text editor you will find it at C:\xampp\apache\conf 2- In the htdocs directory setting add the following directive SSLRequireSSL.
<Directory "C:/xampp/htdocs"> SSLRequireSSL # # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.2/mod/core.html#options # for more information. # Options Indexes FollowSymLinks Includes ExecCGI # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit # AllowOverride All # # Controls who can get stuff from this server. # Order allow,deny Allow from all </Directory>
3- Save the httpd.con file with this new settings.
23
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
4- To configure the web server to request the client certificate open the HTTP-SSL.CONF file you will find it at C:\xampp\apache\conf\extra. Open the file with the text editor and remove the comment symbol (#) from the SSLVerifyClient require and SSLVerifyDepth 10 directives. To make it as follow:# Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. SSLVerifyClient require SSLVerifyDepth 10
5- Save the above changes.
24
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Trust The Certificate root
We need to install the Root CA certificate in the Trusted Root Certification Authorities store on the Web server machine. This allows the Web server to trust the Web site certificate installed on the IIS Web site. Using the Simple Authority program we obtained the Certificate authority Private certificate in the .PFX format we will need to convert it to the .CRT format to get the Root publice certificate .CRT to be compatible with the Apache settings. 1- Open the SSL converter website https://www.sslshopper.com/ssl-converter.html 2- Browse to the Root public .PFX certificate ,enter the certificate password and press the SSL convert button. 3- You will get the ROOT .CRT certificate open it with any text editor and copy the Public certificate section and save it into with text editor with name server-ca.crt
-----BEGIN CERTIFICATE----MIIDVDCCAjygAwIBAgIGASb7NLkMMA0GCSqGSIb3DQEBBQUAMDoxCzAJBgNVBAYT AkVHMQ0wCwYDVQQKDARSb290MQ0wCwYDVQQLDARSb290MQ0wCwYDVQQDDARSb290 MB4XDTEwMDIyMzE0MjIwMVoXDTIwMDIyNDE0MjIxNFowOjELMAkGA1UEBhMCRUcx DTALBgNVBAoMBFJvb3QxDTALBgNVBAsMBFJvb3QxDTALBgNVBAMMBFJvb3QwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD2eoR+PrcIE9UH18iU+jRvQhb0 QqIeoMAEc7ryHKahFg15cZD1LtSUYGhv3Vm0LJyOo53J0Cftc12UWdpAOAgzOG7J Pi/3CB7N1HUpSc184KbZii/ZJXDpsfZuAEKtLHcJ61ExPO7ZMqfowtbKc9u3V8MX mNkToWYxHTKzkYrFQC32V3FAB0nepqvZtigTb5NSWL8KbSEm5qqv01GWd5B7zJHc MdF1rKwBEsFSH32+779s0eAMWcXu6fPhz2wApQ8zx5kXthruLnv27x4Dg35/rWJt VOP9uxXQbNWPMh1u6o/tTb2jdP+40sgXv/SPiVhOlSHpkVKDvA8cHcr2gin/AgMB AAGjYDBeMB8GA1UdIwQYMBaAFAmHUi3Yx3LuflnKLW1Ub3Cm5eODMB0GA1UdDgQW BBQJh1It2Mdy7n5Zyi1tVG9wpuXjgzAOBgNVHQ8BAf8EBAMCAYYwDAYDVR0TBAUw AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAR5l5CnzS4WRv7Nl0CY0npfczprvf7nGF s8ENtjGQzb/MqCD+OPftk5Hh5H4eyei3N3dlmwZX7KAK0Im5xRM5UR4WWAVBvLB9 SHdaJPCyeEKHc9eGEFb4RTHAjugSsE86D1Gwwd+1et+0TVYXfEVJ8ZTxaDFrRIf7 KaT/1tpTZqHrq06WhyFBYE3AeoIhrPSN+LXr1582Mwq4hGkxdrhULSPqU59u7IZ9 HLhN9cD9AnMyQs6q9x3DqNPqhKLIqdkbid7BEjfSEGS0KEvPFOHdiLr5c/zJu7g0 BStkeXwpu89Qmg4iB7Uu3QkNHTuhaY+QAa5senOJHabXnzFPuTj8rw== -----END CERTIFICATE-----
4- Copy the new server-ca.crt file and place it at C:\xampp\apache\conf\ssl.crt 5- Copy the same file and place it at the same location C:\xampp\apache\conf\ssl.crt but this time with the name ca-bundle.crt. 6- open the httpd-ssl.cong file again and remove the comment symbol (#)from the following directives :SSLCertificateChainFile "conf/ssl.crt/server-ca.crt" SSLCACertificateFile "conf/ssl.crt/ca-bundle.crt"
25
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
7- To make this section like
# Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. SSLCertificateChainFile "conf/ssl.crt/server-ca.crt" # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath "conf/ssl.crt" SSLCACertificateFile "conf/ssl.crt/ca-bundle.crt"
26
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Web Authentication Using the Installed Certificate in the Token
Now we’re ready to see if our settings actually work! Perform the following steps to connect to the secure Web site: 1. 2. 3. Before the user can log in to the website the user certificate must be placed in the user Smart Token. Plug in the user smart token then Double click the client.pfx certificate a certificate import wizard will be appeared click next then next. The wizard will ask you to enter the certificate password that we entered before during the certificate generation enter it and select “Mark this key as exportable” then click next.
4. 5.
Accept the defaults in the certificate store window and click next then finish. You will be asked for the place to store the certificate select “Softlock certificate store “ then click ok
27
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
6.
The token will ask you to enter the User PIN to insure that only the token owner can store certificates on it . Enter the pin then click ok.
7.
A message box will appear to inform you that the Clint certificate stored in the token successfully
8. 9.
Before going to test we have to install the root public certificate at the client machine At the client machine right click on the Root.CER file and select install certificate and complete with the wizard by click next and yes to trust the new Root 10. Now be sure that the token is connected to the client PC, Open Internet Explorer and enter the server access link or its IP into the Address bar. And make sure that you use the SSl in the URL in our case it will be “https://test“. A Client Authentication dialog box appears and shows a Users certificate in the list. Click the View Certificate button.
28
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
11. In the Certificate dialog box choose your certificate and Click OK.
29
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
12. You will be asked to enter the password of your token with an on screen keyboard to provide more security.
30
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
13. Now you can browse the secure website.
31
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
ABOUT SOFTLOCK
Softlock is the world’s leading progressive, innovative, expanding national and international company in the field of digital security. Our aim is to gain customer satisfaction, on time and every time. We are established since 1997 to create quality security and to keep the value for what’s important in your life. Our high quality service and excellent benefits and the ability of being reliable and responsible put us as a leader on the top of digital security companies. Softlock provides unique products and solutions, which cover many security areas fulfilling customers need in different market sectors. We provide a set of products and solutions covering the following areas: software protection, data encryption, security hardware, digital signature, secure identification and authentication, secure online distribution of digital Contents. Softlock supports different market sectors like; governmental institutes, organizations, banks, software development companies, multimedia software and game producers, media and eBooks publishers and individual users. Softlock value comes from the continuous research, the integrated products, the realistic implementations, and the successful support since 1997. Softlock is recognized in the local market as the only owner and provider of digital security services. Softlock is uniquely identified in the global market by the integrated products and the research based development.
Website Email Telephone Fax
www.softlock.net [email protected], [email protected], [email protected] +(202)26702267, +(202)26702269 +(202)26702269
32
eSign Token with Simple Authority CA and
Apache Server
Tutorial – Windows
an
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
CONTENTS
OVERVIEW .......................................................................................................................................1 SCENARIO ........................................................................................................................................2
INSTALL APACHE SERVER FOR WINDOWS (WEB SERVER) ................................................................ 3 INSTALL SIMPLE AUTHORITY PROGRAM. ...................................................................................... 8 GENERATE THE CERTIFICATES ................................................................................................... 11 INSTALL WEBSITE CERTIFICATE .................................................................................................. 21 CONFIGURE WEBSITE TO REQUIRE SSL AND CLIENT CERTIFICATE .................................................... 23 TRUST THE CERTIFICATE ROOT.................................................................................................. 25 WEB AUTHENTICATION USING THE INSTALLED CERTIFICATE IN THE TOKEN ...................................... 27
ABOUT SOFTLOCK ..........................................................................................................................32
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
OVERVIEW
This document provides an installation guide step by step providing the user with the needed information about securing Apache server website by preventing any access except for clients only have trusted certificate . And how to use the simple authority program in generating certificates for both the Clients and the server Machine.
1
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
SCENARIO
2
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Install Apache Server for Windows (Web Server)
There is many open source software that provide the installation of Apache server over the windows environment .the simplest one of them is Xampp. In this step we are going to know how to use Xampp to install and configure the apache server to run correctly. 1- Download the Xampp windows version from http://www.apachefriends.org/en/xampp.html . 2- Double click on the installer exe file Xampp-Win.exe to start the setup process 3- Accept the default installation folder and Click install. this
4- After the installation progress bar complete a new window will appear to create shortcut for the Xampp accept the default value and press enter
3
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
5- In the next step click enter to continue
6- To enable Xampp to work without drive letter accept the default “n” and press enter
7- Now the program will install Apache, SSL , MYSQL and some added features. Press the return key to continue.
4
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
8- Now the program will configure the apache configuration file php.ini with the default values press return to continue.
9- Installation is now completed enter x then enter to close the installation.
10- Now we have our new apache server installed correctly. To run the server open the start menu-> all programs and select the Xampp control panel from the Xampp for windows program.
5
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
11- In the opened panel click start button to run the apache server.
12- Now the apache server will run.
6
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
13- To be sure that everything is ok open your internet explorer and enter the following link http://localhost or http://machine_name where machine name is the server computer name or IP address .
7
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Install Simple Authority Program.
We will use the simple authority program to create our Certificate Authority and generate certificates for both the Root ,Server and the clients. 1. Download the Simple authority program from here and then double click the .exe file to setup the application.
2.
Click on the “run” button -> the next step will ask you for the installation folder keep it as default as we will change it later in the coming steps.
8
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
3.
Click the “Install” to complete the setup and after the successful installation message appear let the “Run Simple Authority “ box checked so that the application run automatically after click on the “finish” button.
4. 5. 6. 7.
Now the “simple authority” will run automaticaly got to “Tools” => “options” to change the instalation folder. In the new dispalyed frame browse the “General” tab and change the “ Data directory “ path to a new installation path in my case I’ll make it “D:\SA setup” . Note : I have craete the “CA setup :” folde inside the D drive to hold all the output data and certficates whixh we will ganerate later . Message box will inform you that you will loss all the orevoius craeted data click ok.
9
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
8.
In the “Identity files “ tab change the “output folder “ to the same path selected above Don’t forget to close the programe after changing the instalation path so that the changes can be saved.
10
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Generate the Certificates
In this part we are going to use the simple authority program installed above to create all the certificates Root certificate: - to have both the client and server trust each other each of them must have a certificate trusted by the same root (certificate authority). And each of them must have the root certificate installed and trusted on his machine .you can think of Root as your government which give its citizens the passport (Certificates) so that the person who hold this passport is trusted from anyone who trust the government. Server Certificate: - This is the certificate the server will use to introduce itself to any client and is generated by the root mentioned above. The client will trust the server if and only if the server certificate is generated from a root trusted by the client. Client Certificate: - this is the certificate the client will use to access the server and this will not occurs if the certificate is not trusted by the server (generated from a trusted root). 1. Open the “simple authority “program as this is the first time a box will appear asked you to create new Certificate authority click “Yes”.
2.
Enter the Certificate authority required information’s then clock the ”OK” button .
11
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
3.
During the creation of the new root a progress par will run. Move the mouse inside the progress frame or press any random keys on the keyboard to complete the process. The program is just collect random data for keys generation. After completion a successful message will be appeared.
12
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
4.
The new CA is now created with a random information click on the “edited user” button to edited the CA information’s. Select the certificate type as “Certification authority”.
5.
Right clock on the CA name on the user’s window and select “New Certificate”. The program will ask you about the CA password you have entered in the previous steps .and ask you to enter a new password for the generated Certificate so that no one can use this certificate without this password. And a message box will inform you that the generation completed and the give its path.
13
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
6.
You will find 2 generated files (.p12 and .cer) double click on the .p12 file to convert the certificate to .pfx file so that we can use it later to install the CA certificate in both the client and server machine.
14
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
7.
In the certificate import wizard click next. You will be asked to enter the certificate password enter it and select “mark this key as exportable “then click next.
8.
In the next step keep the default option “automatically select the certificate store “and click next then finish. a message box will inform you that the certificate is imported successfully
15
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
9.
To get the root certificate as a .pfx file open your internet explorer select Tools from the menu bar then select “Internet options “. And open the “Content” tab.
10. In the Certificates frame click the “Certificates” button a new window will appear containing the system installed certificates.
16
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
11. Select the “Personal” tab and click the mouse in the CA certificate in our case it is named “Softlock CA” and then click the “Export “button. 12. The certificate export wizard will appear click next in the welcome window then select “yes export the private key”. And click next in the next step keep the defaults for the export file format and click next.
17
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
13. The wizard will ask you to enter the new password for the certificates this password will be entered later by anyone want to use this certificate. Enter it twice then click next. 14. Then the wizard will ask you to browse for the location where you want the certificate to be stored select the path and give a name to the file for example “Softlock CA” and click next then finish.
18
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
15. Click ok in the successful message.
16. Now the SoftlockCA.pfx file is stored in the path was given above we will use it in the coming steps. 17. Back to our simple authority program to generate the Server (Website) certificate and click the “New user” button and enter the website information .the certificate type must be “SSL server “ and the user name must be as the server machine name in our case it is “Test”. then Click the “edit” user button to save the user information.
18. Click the “New Certificate “ button and generate the Server certificate using the actions from step 5 to 16. 19. After the generating and saving the server certificate as a .pfx file create a new user and name it client and repeat the steps from 5 to 16 to generate the client certificate. Note that the certificate type for the client must be “General purpose”.
19
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
20
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Install website Certificate
We are going now to configure the server certificates to be used to identify the server to any client. In the previous steps we have generated the server.pfx certificate file which is the private server certificate but in .PFX extension this type of extension combine both the private and public key.for the apache server we will need a .PEM certificate which spate the server public key in a .CRT file and the server private key in a .KEY file. 1- in your internet explorer go to the SSL Converter home page to use its services to convert the certificate format. https://www.sslshopper.com/ssl-converter.html 2- in the opened page click the browse button and select the server.pfx file .enter the password for the .pfx certificate and press the Convert Certificate button.
3- A new dialog will appear to ask you for the location where to store the server.crt file.
21
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
4- Now we have the server.crt file open with any text editor it will appear like this.
5- The file contain both the private key and the public certificate but each of them sperated in a special section. 6- To get the private key copy and paste the section started by -----BEGIN RSA PRIVATE KEY----- and ended by -----END RSA PRIVATE KEY----7- Paste this section in a new text file and name it server.ky 8- Copy and paste the section started by -----BEGIN CERTIFICATE----- and ended by -----END CERTIFICATE----- and paste it in a new text file and name it server.crt. 9- Now we have the server public certificate server.crt and the server private key server. key files. 10- To configure to website server public certificate go to the following path C:\xampp\apache\conf\ssl.crt .You will find the server default certificate replace it with our new server.crt file 11- To configure the server private key go to the following location C:\xampp\apache\conf\ssl.key.You will find the server. Key file replace it with our new server. Key file.
22
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Configure website to require SSL and Client Certificate
We are going now to configure our web server to work only over the Secure Transport layer SSL And to require client certificate so that only the users who have a trusted certificate can login to our website. 1- To configure the server to request SSL open the HTTPD.CONF Apache configuration file with any text editor you will find it at C:\xampp\apache\conf 2- In the htdocs directory setting add the following directive SSLRequireSSL.
<Directory "C:/xampp/htdocs"> SSLRequireSSL # # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.2/mod/core.html#options # for more information. # Options Indexes FollowSymLinks Includes ExecCGI # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit # AllowOverride All # # Controls who can get stuff from this server. # Order allow,deny Allow from all </Directory>
3- Save the httpd.con file with this new settings.
23
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
4- To configure the web server to request the client certificate open the HTTP-SSL.CONF file you will find it at C:\xampp\apache\conf\extra. Open the file with the text editor and remove the comment symbol (#) from the SSLVerifyClient require and SSLVerifyDepth 10 directives. To make it as follow:# Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. SSLVerifyClient require SSLVerifyDepth 10
5- Save the above changes.
24
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Trust The Certificate root
We need to install the Root CA certificate in the Trusted Root Certification Authorities store on the Web server machine. This allows the Web server to trust the Web site certificate installed on the IIS Web site. Using the Simple Authority program we obtained the Certificate authority Private certificate in the .PFX format we will need to convert it to the .CRT format to get the Root publice certificate .CRT to be compatible with the Apache settings. 1- Open the SSL converter website https://www.sslshopper.com/ssl-converter.html 2- Browse to the Root public .PFX certificate ,enter the certificate password and press the SSL convert button. 3- You will get the ROOT .CRT certificate open it with any text editor and copy the Public certificate section and save it into with text editor with name server-ca.crt
-----BEGIN CERTIFICATE----MIIDVDCCAjygAwIBAgIGASb7NLkMMA0GCSqGSIb3DQEBBQUAMDoxCzAJBgNVBAYT AkVHMQ0wCwYDVQQKDARSb290MQ0wCwYDVQQLDARSb290MQ0wCwYDVQQDDARSb290 MB4XDTEwMDIyMzE0MjIwMVoXDTIwMDIyNDE0MjIxNFowOjELMAkGA1UEBhMCRUcx DTALBgNVBAoMBFJvb3QxDTALBgNVBAsMBFJvb3QxDTALBgNVBAMMBFJvb3QwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD2eoR+PrcIE9UH18iU+jRvQhb0 QqIeoMAEc7ryHKahFg15cZD1LtSUYGhv3Vm0LJyOo53J0Cftc12UWdpAOAgzOG7J Pi/3CB7N1HUpSc184KbZii/ZJXDpsfZuAEKtLHcJ61ExPO7ZMqfowtbKc9u3V8MX mNkToWYxHTKzkYrFQC32V3FAB0nepqvZtigTb5NSWL8KbSEm5qqv01GWd5B7zJHc MdF1rKwBEsFSH32+779s0eAMWcXu6fPhz2wApQ8zx5kXthruLnv27x4Dg35/rWJt VOP9uxXQbNWPMh1u6o/tTb2jdP+40sgXv/SPiVhOlSHpkVKDvA8cHcr2gin/AgMB AAGjYDBeMB8GA1UdIwQYMBaAFAmHUi3Yx3LuflnKLW1Ub3Cm5eODMB0GA1UdDgQW BBQJh1It2Mdy7n5Zyi1tVG9wpuXjgzAOBgNVHQ8BAf8EBAMCAYYwDAYDVR0TBAUw AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAR5l5CnzS4WRv7Nl0CY0npfczprvf7nGF s8ENtjGQzb/MqCD+OPftk5Hh5H4eyei3N3dlmwZX7KAK0Im5xRM5UR4WWAVBvLB9 SHdaJPCyeEKHc9eGEFb4RTHAjugSsE86D1Gwwd+1et+0TVYXfEVJ8ZTxaDFrRIf7 KaT/1tpTZqHrq06WhyFBYE3AeoIhrPSN+LXr1582Mwq4hGkxdrhULSPqU59u7IZ9 HLhN9cD9AnMyQs6q9x3DqNPqhKLIqdkbid7BEjfSEGS0KEvPFOHdiLr5c/zJu7g0 BStkeXwpu89Qmg4iB7Uu3QkNHTuhaY+QAa5senOJHabXnzFPuTj8rw== -----END CERTIFICATE-----
4- Copy the new server-ca.crt file and place it at C:\xampp\apache\conf\ssl.crt 5- Copy the same file and place it at the same location C:\xampp\apache\conf\ssl.crt but this time with the name ca-bundle.crt. 6- open the httpd-ssl.cong file again and remove the comment symbol (#)from the following directives :SSLCertificateChainFile "conf/ssl.crt/server-ca.crt" SSLCACertificateFile "conf/ssl.crt/ca-bundle.crt"
25
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
7- To make this section like
# Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. SSLCertificateChainFile "conf/ssl.crt/server-ca.crt" # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath "conf/ssl.crt" SSLCACertificateFile "conf/ssl.crt/ca-bundle.crt"
26
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
Web Authentication Using the Installed Certificate in the Token
Now we’re ready to see if our settings actually work! Perform the following steps to connect to the secure Web site: 1. 2. 3. Before the user can log in to the website the user certificate must be placed in the user Smart Token. Plug in the user smart token then Double click the client.pfx certificate a certificate import wizard will be appeared click next then next. The wizard will ask you to enter the certificate password that we entered before during the certificate generation enter it and select “Mark this key as exportable” then click next.
4. 5.
Accept the defaults in the certificate store window and click next then finish. You will be asked for the place to store the certificate select “Softlock certificate store “ then click ok
27
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
6.
The token will ask you to enter the User PIN to insure that only the token owner can store certificates on it . Enter the pin then click ok.
7.
A message box will appear to inform you that the Clint certificate stored in the token successfully
8. 9.
Before going to test we have to install the root public certificate at the client machine At the client machine right click on the Root.CER file and select install certificate and complete with the wizard by click next and yes to trust the new Root 10. Now be sure that the token is connected to the client PC, Open Internet Explorer and enter the server access link or its IP into the Address bar. And make sure that you use the SSl in the URL in our case it will be “https://test“. A Client Authentication dialog box appears and shows a Users certificate in the list. Click the View Certificate button.
28
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
11. In the Certificate dialog box choose your certificate and Click OK.
29
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
12. You will be asked to enter the password of your token with an on screen keyboard to provide more security.
30
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
13. Now you can browse the secure website.
31
Tutorial – Windows
Web Authentication using
eSign Token with Simple Authority CA and Apache Server
ABOUT SOFTLOCK
Softlock is the world’s leading progressive, innovative, expanding national and international company in the field of digital security. Our aim is to gain customer satisfaction, on time and every time. We are established since 1997 to create quality security and to keep the value for what’s important in your life. Our high quality service and excellent benefits and the ability of being reliable and responsible put us as a leader on the top of digital security companies. Softlock provides unique products and solutions, which cover many security areas fulfilling customers need in different market sectors. We provide a set of products and solutions covering the following areas: software protection, data encryption, security hardware, digital signature, secure identification and authentication, secure online distribution of digital Contents. Softlock supports different market sectors like; governmental institutes, organizations, banks, software development companies, multimedia software and game producers, media and eBooks publishers and individual users. Softlock value comes from the continuous research, the integrated products, the realistic implementations, and the successful support since 1997. Softlock is recognized in the local market as the only owner and provider of digital security services. Softlock is uniquely identified in the global market by the integrated products and the research based development.
Website Email Telephone Fax
www.softlock.net [email protected], [email protected], [email protected] +(202)26702267, +(202)26702269 +(202)26702269
32
Sponsor Documents
Recommended
No recommend documents