Web-Authentication-using-eSign-Token-with-Simple-Authority-CA-and-Apache-Server-Tutorial-Windows.pdf

Tutorial – Windows

Web Authentication

using eSign Token with Simple Authority CA and

Apache Server

an

Tutorial – Windows Web Authentication using eSign Token with Simple Authority CA and Apache Server

CONTENTS OVERVIEW .......................................................................................................................................1

SCENARIO ........................................................................................................................................2

INSTALL APACHE SERVER FOR WINDOWS (WEB SERVER) ................................................................ 3

INSTALL SIMPLE AUTHORITY PROGRAM. ...................................................................................... 8

GENERATE THE CERTIFICATES ................................................................................................... 11

INSTALL WEBSITE CERTIFICATE .................................................................................................. 21

CONFIGURE WEBSITE TO REQUIRE SSL AND CLIENT CERTIFICATE .................................................... 23

TRUST THE CERTIFICATE ROOT .................................................................................................. 25

WEB AUTHENTICATION USING THE INSTALLED CERTIFICATE IN THE TOKEN ...................................... 27

ABOUT SOFTLOCK .......................................................................................................................... 32


1

OVERVIEW This document provides an installation guide step by step providing the user with the needed

information about securing Apache server website by preventing any access except for clients only

have trusted certificate . And how to use the simple authority program in generating certificates for

both the Clients and the server Machine.


2

SCENARIO


3

Install Apache Server for Windows (Web Server)

There is many open source software that provide the installation of Apache server over the

windows environment .the simplest one of them is Xampp. In this step we are going to know how to

use Xampp to install and configure the apache server to run correctly.

1- Download the Xampp windows version from this

http://www.apachefriends.org/en/xampp.html .

2- Double click on the installer exe file Xampp-Win.exe to start the setup process

3- Accept the default installation folder and Click install.

4- After the installation progress bar complete a new window will appear to create shortcut

for the Xampp accept the default value and press enter

http://www.apachefriends.org/en/xampp.html


4

5- In the next step click enter to continue

6- To enable Xampp to work without drive letter accept the default “n” and press enter

7- Now the program will install Apache, SSL , MYSQL and some added features. Press the

return key to continue.


5

8- Now the program will configure the apache configuration file php.ini with the default

values press return to continue.

9- Installation is now completed enter x then enter to close the installation.

10- Now we have our new apache server installed correctly. To run the server open the start

menu-> all programs and select the Xampp control panel from the Xampp for windows

program.


6

11- In the opened panel click start button to run the apache server.

12- Now the apache server will run.


7

13- To be sure that everything is ok open your internet explorer and enter the following link

http://localhost or http://machine_name where machine name is the server computer

name or IP address .

http://localhost/

http://machine_name/


8

Install Simple Authority Program.

We will use the simple authority program to create our Certificate Authority and generate

certificates for both the Root ,Server and the clients.

1. Download the Simple authority program from here and then double click the .exe file to

setup the application.

2. Click on the “run” button -> the next step will ask you for the installation folder keep it as

default as we will change it later in the coming steps.

http://www.simpleauthority.com/download.html


9

3. Click the “Install” to complete the setup and after the successful installation message

appear let the “Run Simple Authority “ box checked so that the application run

automatically after click on the “finish” button.

4. Now the “simple authority” will run automaticaly got to “Tools” => “options” to change

the instalation folder.

5. In the new dispalyed frame browse the “General” tab and change the “ Data directory “

path to a new installation path in my case I’ll make it “D:\SA setup” .

6. Note : I have craete the “CA setup :” folde inside the D drive to hold all the output data and

certficates whixh we will ganerate later .

7. Message box will inform you that you will loss all the orevoius craeted data click ok.


10

8. In the “Identity files “ tab change the “output folder “ to the same path selected above

Don’t forget to close the programe after changing the instalation path so that the changes

can be saved.


11

Generate the Certificates

In this part we are going to use the simple authority program installed above to create all the

certificates

Root certificate: - to have both the client and server trust each other each of them must have a

certificate trusted by the same root (certificate authority). And each of them must have the root

certificate installed and trusted on his machine .you can think of Root as your government which

give its citizens the passport (Certificates) so that the person who hold this passport is trusted from

anyone who trust the government.

Server Certificate: - This is the certificate the server will use to introduce itself to any client and is

generated by the root mentioned above. The client will trust the server if and only if the server

certificate is generated from a root trusted by the client.

Client Certificate: - this is the certificate the client will use to access the server and this will not

occurs if the certificate is not trusted by the server (generated from a trusted root).

1. Open the “simple authority “program as this is the first time a box will appear asked you to

create new Certificate authority click “Yes”.

2. Enter the Certificate authority required information’s then clock the ”OK” button .


12

3. During the creation of the new root a progress par will run. Move the mouse inside the

progress frame or press any random keys on the keyboard to complete the process. The

program is just collect random data for keys generation. After completion a successful

message will be appeared.


13

4. The new CA is now created with a random information click on the “edited user” button to

edited the CA information’s. Select the certificate type as “Certification authority”.

5. Right clock on the CA name on the user’s window and select “New Certificate”. The

program will ask you about the CA password you have entered in the previous steps .and

ask you to enter a new password for the generated Certificate so that no one can use this

certificate without this password. And a message box will inform you that the generation

completed and the give its path.


14

6. You will find 2 generated files (.p12 and .cer) double click on the .p12 file to convert the

certificate to .pfx file so that we can use it later to install the CA certificate in both the

client and server machine.


15

7. In the certificate import wizard click next. You will be asked to enter the certificate

password enter it and select “mark this key as exportable “then click next.

8. In the next step keep the default option “automatically select the certificate store “and

click next then finish. a message box will inform you that the certificate is imported

successfully


16

9. To get the root certificate as a .pfx file open your internet explorer select Tools from the

menu bar then select “Internet options “. And open the “Content” tab.

10. In the Certificates frame click the “Certificates” button a new window will appear

containing the system installed certificates.


17

11. Select the “Personal” tab and click the mouse in the CA certificate in our case it is named

“Softlock CA” and then click the “Export “button.

12. The certificate export wizard will appear click next in the welcome window then select “yes

export the private key”. And click next in the next step keep the defaults for the export file

format and click next.


18

13. The wizard will ask you to enter the new password for the certificates this password will be

entered later by anyone want to use this certificate. Enter it twice then click next.

14. Then the wizard will ask you to browse for the location where you want the certificate to

be stored select the path and give a name to the file for example “Softlock CA” and click

next then finish.


19

15. Click ok in the successful message.

16. Now the SoftlockCA.pfx file is stored in the path was given above we will use it in the

coming steps.

17. Back to our simple authority program to generate the Server (Website) certificate and click

the “New user” button and enter the website information .the certificate type must be “SSL

server “ and the user name must be as the server machine name in our case it is “Test”.

then Click the “edit” user button to save the user information.

18. Click the “New Certificate “ button and generate the Server certificate using the actions

from step 5 to 16.

19. After the generating and saving the server certificate as a .pfx file create a new user and

name it client and repeat the steps from 5 to 16 to generate the client certificate. Note that

the certificate type for the client must be “General purpose”.


20


21

Install website Certificate

We are going now to configure the server certificates to be used to identify the server to any client.

In the previous steps we have generated the server.pfx certificate file which is the private server

certificate but in .PFX extension this type of extension combine both the private and public key.for

the apache server we will need a .PEM certificate which spate the server public key in a .CRT file and

the server private key in a .KEY file.

1- in your internet explorer go to the SSL Converter home page to use its services to convert

the certificate format. https://www.sslshopper.com/ssl-converter.html

2- in the opened page click the browse button and select the server.pfx file .enter the

password for the .pfx certificate and press the Convert Certificate button.

3- A new dialog will appear to ask you for the location where to store the server.crt file.

https://www.sslshopper.com/ssl-converter.html


22

4- Now we have the server.crt file open with any text editor it will appear like this.

5- The file contain both the private key and the public certificate but each of them sperated in

a special section.

6- To get the private key copy and paste the section started by -----BEGIN RSA

PRIVATE KEY----- and ended by -----END RSA PRIVATE KEY-----

7- Paste this section in a new text file and name it server.ky

8- Copy and paste the section started by -----BEGIN CERTIFICATE----- and ended by -----END

CERTIFICATE----- and paste it in a new text file and name it server.crt.

9- Now we have the server public certificate server.crt and the server private key server. key

files.

10- To configure to website server public certificate go to the following path

C:\xampp\apache\conf\ssl.crt .You will find the server default certificate replace it with our

new server.crt file

11- To configure the server private key go to the following location

C:\xampp\apache\conf\ssl.key.You will find the server. Key file replace it with our new

server. Key file.


23

Configure website to require SSL and Client Certificate

We are going now to configure our web server to work only over the Secure Transport layer SSL

And to require client certificate so that only the users who have a trusted certificate can login to our

website.

1- To configure the server to request SSL open the HTTPD.CONF Apache configuration file

with any text editor you will find it at C:\xampp\apache\conf

2- In the htdocs directory setting add the following directive SSLRequireSSL.

<Directory "C:/xampp/htdocs">

SSLRequireSSL

#

# Possible values for the Options directive are "None", "All",

# or any combination of:

# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI

MultiViews

#

# Note that "MultiViews" must be named *explicitly* --- "Options All"

# doesn't give it to you.

#

# The Options directive is both complicated and important. Please see

# http://httpd.apache.org/docs/2.2/mod/core.html#options

# for more information.

#

Options Indexes FollowSymLinks Includes ExecCGI

#

# AllowOverride controls what directives may be placed in .htaccess

files.

# It can be "All", "None", or any combination of the keywords:

# Options FileInfo AuthConfig Limit

#

AllowOverride All

#

# Controls who can get stuff from this server.

#

Order allow,deny

Allow from all

</Directory>

3- Save the httpd.con file with this new settings.


24

4- To configure the web server to request the client certificate open the HTTP-SSL.CONF file

you will find it at C:\xampp\apache\conf\extra. Open the file with the text editor and

remove the comment symbol (#) from the SSLVerifyClient require and

SSLVerifyDepth 10 directives. To make it as follow:-

# Client Authentication (Type):

# Client certificate verification type and depth. Types are

# none, optional, require and optional_no_ca. Depth is a

# number which specifies how deeply to verify the certificate

# issuer chain before deciding the certificate is not valid.

SSLVerifyClient require

SSLVerifyDepth 10

5- Save the above changes.


25

Trust The Certificate root

We need to install the Root CA certificate in the Trusted Root Certification Authorities store on the

Web server machine. This allows the Web server to trust the Web site certificate installed on the IIS

Web site. Using the Simple Authority program we obtained the Certificate authority Private

certificate in the .PFX format we will need to convert it to the .CRT format to get the Root publice

certificate .CRT to be compatible with the Apache settings.

1- Open the SSL converter website https://www.sslshopper.com/ssl-converter.html

2- Browse to the Root public .PFX certificate ,enter the certificate password and press the SSL

convert button.

3- You will get the ROOT .CRT certificate open it with any text editor and copy the Public

certificate section and save it into with text editor with name server-ca.crt

-----BEGIN CERTIFICATE-----

MIIDVDCCAjygAwIBAgIGASb7NLkMMA0GCSqGSIb3DQEBBQUAMDoxCzAJBgNVBAYT

AkVHMQ0wCwYDVQQKDARSb290MQ0wCwYDVQQLDARSb290MQ0wCwYDVQQDDARSb290

MB4XDTEwMDIyMzE0MjIwMVoXDTIwMDIyNDE0MjIxNFowOjELMAkGA1UEBhMCRUcx

DTALBgNVBAoMBFJvb3QxDTALBgNVBAsMBFJvb3QxDTALBgNVBAMMBFJvb3QwggEi

MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD2eoR+PrcIE9UH18iU+jRvQhb0

QqIeoMAEc7ryHKahFg15cZD1LtSUYGhv3Vm0LJyOo53J0Cftc12UWdpAOAgzOG7J

Pi/3CB7N1HUpSc184KbZii/ZJXDpsfZuAEKtLHcJ61ExPO7ZMqfowtbKc9u3V8MX

mNkToWYxHTKzkYrFQC32V3FAB0nepqvZtigTb5NSWL8KbSEm5qqv01GWd5B7zJHc

MdF1rKwBEsFSH32+779s0eAMWcXu6fPhz2wApQ8zx5kXthruLnv27x4Dg35/rWJt

VOP9uxXQbNWPMh1u6o/tTb2jdP+40sgXv/SPiVhOlSHpkVKDvA8cHcr2gin/AgMB

AAGjYDBeMB8GA1UdIwQYMBaAFAmHUi3Yx3LuflnKLW1Ub3Cm5eODMB0GA1UdDgQW

BBQJh1It2Mdy7n5Zyi1tVG9wpuXjgzAOBgNVHQ8BAf8EBAMCAYYwDAYDVR0TBAUw

AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAR5l5CnzS4WRv7Nl0CY0npfczprvf7nGF

s8ENtjGQzb/MqCD+OPftk5Hh5H4eyei3N3dlmwZX7KAK0Im5xRM5UR4WWAVBvLB9

SHdaJPCyeEKHc9eGEFb4RTHAjugSsE86D1Gwwd+1et+0TVYXfEVJ8ZTxaDFrRIf7

KaT/1tpTZqHrq06WhyFBYE3AeoIhrPSN+LXr1582Mwq4hGkxdrhULSPqU59u7IZ9

HLhN9cD9AnMyQs6q9x3DqNPqhKLIqdkbid7BEjfSEGS0KEvPFOHdiLr5c/zJu7g0

BStkeXwpu89Qmg4iB7Uu3QkNHTuhaY+QAa5senOJHabXnzFPuTj8rw==

-----END CERTIFICATE-----

4- Copy the new server-ca.crt file and place it at C:\xampp\apache\conf\ssl.crt

5- Copy the same file and place it at the same location C:\xampp\apache\conf\ssl.crt but this

time with the name ca-bundle.crt.

6- open the httpd-ssl.cong file again and remove the comment symbol (#)from the following

directives :-

SSLCertificateChainFile "conf/ssl.crt/server-ca.crt"

SSLCACertificateFile "conf/ssl.crt/ca-bundle.crt"

https://www.sslshopper.com/ssl-converter.html


26

7- To make this section like

# Server Certificate Chain:

# Point SSLCertificateChainFile at a file containing the

# concatenation of PEM encoded CA certificates which form the

# certificate chain for the server certificate. Alternatively

# the referenced file can be the same as SSLCertificateFile

# when the CA certificates are directly appended to the server

# certificate for convinience.

SSLCertificateChainFile "conf/ssl.crt/server-ca.crt"

# Certificate Authority (CA):

# Set the CA certificate verification path where to find CA

# certificates for client authentication or alternatively one

# huge file containing all of them (file must be PEM encoded)

# Note: Inside SSLCACertificatePath you need hash symlinks

# to point to the certificate files. Use the provided

# Makefile to update the hash symlinks after changes.

#SSLCACertificatePath "conf/ssl.crt"

SSLCACertificateFile "conf/ssl.crt/ca-bundle.crt"


27

Web Authentication Using the Installed Certificate in the Token

Now we’re ready to see if our settings actually work! Perform the following steps to connect to the

secure Web site:

1. Before the user can log in to the website the user certificate must be placed in the user

Smart Token.

2. Plug in the user smart token then Double click the client.pfx certificate a certificate import

wizard will be appeared click next then next.

3. The wizard will ask you to enter the certificate password that we entered before during the

certificate generation enter it and select “Mark this key as exportable” then click next.

4. Accept the defaults in the certificate store window and click next then finish.

5. You will be asked for the place to store the certificate select “Softlock certificate store “

then click ok


28

6. The token will ask you to enter the User PIN to insure that only the token owner can store

certificates on it . Enter the pin then click ok.

7. A message box will appear to inform you that the Clint certificate stored in the token

successfully

8. Before going to test we have to install the root public certificate at the client machine

9. At the client machine right click on the Root.CER file and select install certificate and

complete with the wizard by click next and yes to trust the new Root

10. Now be sure that the token is connected to the client PC, Open Internet Explorer and enter

the server access link or its IP into the Address bar. And make sure that you use the SSl in

the URL in our case it will be “https://test“. A Client Authentication dialog box appears and

shows a Users certificate in the list. Click the View Certificate button.

https://test/


29

11. In the Certificate dialog box choose your certificate and Click OK.


30

12. You will be asked to enter the password of your token with an on screen keyboard to

provide more security.


31

13. Now you can browse the secure website.


32

ABOUT SOFTLOCK Softlock is the world’s leading progressive, innovative, expanding national and international

company in the field of digital security. Our aim is to gain customer satisfaction, on time and every

time. We are established since 1997 to create quality security and to keep the value for what’s

important in your life.

Our high quality service and excellent benefits and the ability of being reliable and responsible put

us as a leader on the top of digital security companies.

Softlock provides unique products and solutions, which cover many security areas fulfilling

customers need in different market sectors. We provide a set of products and solutions covering the

following areas: software protection, data encryption, security hardware, digital signature, secure

identification and authentication, secure online distribution of digital Contents.

Softlock supports different market sectors like; governmental institutes, organizations, banks,

software development companies, multimedia software and game producers, media and eBooks

publishers and individual users.

Softlock value comes from the continuous research, the integrated products, the realistic

implementations, and the successful support since 1997.

Softlock is recognized in the local market as the only owner and provider of digital security services.

Softlock is uniquely identified in the global market by the integrated products and the research

based development.

Website www.softlock.net

Email [email protected], [email protected], [email protected]

Telephone +(202)26702267, +(202)26702269

Fax +(202)26702269

http://www.softlock.net/

mailto:[email protected]



Documents

Web-Authentication-using-eSign-Token-with-Simple-Authority-CA-and-Apache-Server-Tutorial-Windows.pdf