Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've a website. Already generate a key and pem by using OpenSSL. And I can access the website by both http and https.
I want to know:
1. Can I disable web browser from download the ca cert when they visit my website through https?
2. I want to allow only those web browser that has my self-signed ca cert imported to visit the https page of my website. Is that possible?
It likely is a CA cert since when you do a self-signed cert, you are affirming that you are you. So you are actually the certificate authority to your own certificate.
I think that's the logic anyways.
By default openssl will create a CA cert if not specifying a request
My apache server likes to tell me in the error.log
Code:
server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
How can I force clients to authenticate using certificates?
When you know all of your users (eg, as is often the case on a corporate Intranet), you can require plain certificate authentication. All you need to do is to create client certificates signed by your own CA certificate (ca.crt) and then verify the clients against this certificate.
httpd.conf
# require a client certificate which has to be directly
# signed by our CA certificate in ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile conf/ssl.crt/ca.crt
It likely is a CA cert since when you do a self-signed cert
No, a CA is either going to be one of the domains that comes already published within your web browser called a Root CA, or is tiered through a chain of CA's to be verified by one of the Root CA's. Self Signed is explicit that you are not using a CA. While you can generate a CA Certificate, unless you can get Microsoft, Mozilla, and the many other publishers to recognize that you are a root CA, or you go through the paperwork to register with a Root CA and pay more money that you can possibly imagine to become a Chained CA Authority, then you will only be a self signed certificate.
My website can access through internet. Most of the webpages use http and only those sensitive area such as login page will automatically switch to https.
What I want is if the guest has no corresponding cert imported in their web browser. Then they've no chance to access that https page.
But according to what Habitual said at #2. There's no way to prevent guest from download the cert. So, I think what I want to do is actually not possible.
It sounds like you are trying to create an SSL key file to authenticate with. This is fairly common on ssh but I have never heard or such a method used for html. I am not certain if Apache or any other web server / browser has implemented this feature or not. But I think it would be a requirement of the web server to support this rather than trying to code it through PHP, definitely not in html. I'm not going to say it is impossible, PHP does have commands to gain access direct to shell, but you would be starting from scratch on a new experimental idea of unexplored territory.
It sounds like you are trying to create an SSL key file to authenticate with. This is fairly common on ssh but I have never heard or such a method used for html. I am not certain if Apache or any other web server / browser has implemented this feature or not. But I think it would be a requirement of the web server to support this...
Startssl uses this as auth as opposed to a username / password.
As shown above, generating a CA certificate and generating client certificates to authenticate against would permit users who have that client certificate to access portions of the site secured.
I'm not sure where
Quote:
What I want is if the guest has no corresponding cert imported in their web browser. Then they've no chance to access that https page.
and
Quote:
How can I force clients to authenticate using certificates?
How can I force clients to authenticate using certificates for a particular URL, but still allow arbitrary clients to access the rest of the server? When you know all of your users (eg, as is often the case on a corporate Intranet), you can require plain certificate authentication. All you need to do is to create client certificates signed by your own CA certificate (ca.crt) and then verify the clients against this certificate.
are not the same thing. The only people who can access are people who I have generate client certificates and and given to users.
Quote:
While you can generate a CA Certificate, unless you can get Microsoft, Mozilla, and the many other publishers to recognize that you are a root CA, or you go through the paperwork to register with a Root CA and pay more money that you can possibly imagine to become a Chained CA Authority, then you will only be a self signed certificate.
If the OP knows who they want to share the certificate with, and they trust the OP, being a root global CA is not needed.
Startssl uses this as auth as opposed to a username / password.
As I was mentioning in using for ssh, I just have never seen this used as authentication on a web application. I could be wrong as new technologies are always emerging, perhaps you can give a source example? The only examples I could remotely find from Startssl were purchased signed SSL's that would not include self signed. That and it was some advertisement of "new technology", not exactly clear of it was the same form of authentication as described here.
The site startssl itself uses a client certificate to be able to login, to identify the user to the server. What the site does (sell / provide ssl certificates) isn't important.
When I log into startssl, it (firefox) asks me if I want to use certificate X to login to this site.
It's a fairly uncommon method of auth, especially since you're limited to that computer unless you copy the certificate to other devices.
You can attempt to login on this page from startssl by clicking on Authenticate, if you don't have a account you probably do not have a certificate and won't be able to login. https://www.startssl.com/?app=12
Actually, many (very big ...) companies do this: they create a Certifying Authority (CA) within their own corporate organization, and sometimes create subordinate CA's ... a complete "chain of trust" ... to handle the needs of various corporate divisions.
Then, on all of their (many thousands of ...) computers and mobile-devices, they install this CA as another "trusted CA."
But they (purposely ...) never ask for this "my corporation only" CA to be signed by any of the public authorities. For the purpose of their corporate applications, their master security-department's CA certificate is "the buck stops here."
Then, they configure their various secure internal applications to require a certificate that has been signed by their (and only their ...) CA: either the corporate-wide one, or, in the case of a "divisional" app, the CA of the appropriate division.
Because all of the corporate end-user machines have been programmed to accept the corporate CA, those machines do not present any annoying messages. And, because the secure resources have been programmed not to accept, say, "Thawte's certificates," those resources can only be accessed by authorized corporate machines.
The SSL certificate system can also be used to uniquely identify a client machine, although it is usually more advantageous to use technologies like Kerberos, or at least LDAP/OpenDirectory, for this purpose.
So ... a "self-signed" certificate (and/or a "self-made CA") is in fact perfectly legitimate ... if you cause it to be so.
And the encryption is always "just as strong."
Last edited by sundialsvcs; 06-10-2015 at 07:38 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.