I am not a system administrator or a network administrator (I have a software developer background). I am finding some difficulties trying to follow this tutorial in order to implement SLL client authentication on an Ubuntu 20.04 version: https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/
I know that this tutorial is pretty old but it seems to works fine except a single point.
Bascally I performed all the steps indicated into the previous tutorial. I summarize them here so you can also give me a feedback if I am well understanding what I have done:
Generate a certificate authority (CA) cert: as first thing I am creating a CA cert. If I am well understanding it is something like creating my own personal certificate authority (like cacert.org), the only thing is that in this case there is no institution that validates the certificates issued by this CA. Is this understanding correct?
openssl req -newkey rsa:4096 -keyform PEM -keyout ca.key -x509 -days 3650 -outform PEM -out ca.cer
Basically this command will ask me for a PEM pass phrase that I will use to interact with my own CA and some details. I put these parameters:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Notariato
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:.*
Email Address []:[email protected]
NOTE: in the previous answer I put a wildcard (*) for the common name in order to "ignore" where the certificates will be used. Can it work?
So this command generate a ca.cer file that I will use to generate my servers and client certificate.
The I generate my Apache server SSL key and certificate: this is not yet the client certificate (the certificate used by the client to say to the server: "I am a certified client !!!"), this is the server certificate that says to the client: "I am the correct server, not a man in the middle". Is it correct?
To create this serer certificate, first I generate the server private key:
openssl genrsa -out server.key 4096
Then I used this server private key in order to generate a certificate generation request.
openssl req -new -key server.key -out server.req -sha256
Also here it ask me some parameters:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Notariato
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:*
Email Address []:[email protected]
NOTE: also here I put a wild card (*) for the common name in order to "ignore" where the certificates will be used. Can it work?
Then I used the certificate generation request and the CA cert to generate the server cert:
openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extensions server -days 1460 -outform PEM -out server.cer -sha256
Then I am trying to install the certificate into my Apache by:
Copy the CA cert to a permanent place. We’ll need to specify our CA cert in Apache since it is a self generated CA and not one that is included in operating systems everywhere:
cp ca.cer /etc/ssl/certs/
Copy the server cert and private key to permanent place:
cp server.cer /etc/ssl/certs/server.crt
cp server.key /etc/ssl/private/server.key
Activate the SSL module in Apache:
a2enmod ssl
Activate the SSL site in Apache and disable the HTTP site:
a2ensite default-ssl
a2dissite default
And now I am obtaining a problem on the last command, following the output of the last two commands:
andrea@ubuntu:~/cert$ a2ensite default-ssl
Site default-ssl already enabled
andrea@ubuntu:~/cert$ a2dissite default
ERROR: Site default does not exist!
As you can see when I perform a2dissite default I am obtaining this ERROR: Site default does not exist! error message.
Why? What it means? What is wrong? How can I try to solve this error?
