Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using...
Transcript of Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using...
![Page 1: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/1.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 1/19
Configuring two-way SSL using Estonian
EID smartcards in Ubuntu Apache2
webserver
Dokument information
Creation time 06.02.2019
Client RIA
Author Urmas Vanem, OctoX
Version 19.12/1
Version information
Date Version Changes/notes
06.02.2019 19.02/1 Public version.
20.02.2019 19.02/1 Added chapter additional configuration options: firewall and OCSP configuration, default website removal. Changed by Urmas Vanem.
12.12.2019 19.12/1 Added recommendations for securing Apache. Changed by Urmas Vanem.
![Page 2: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/2.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 2/19
Intro In this guide we describe:
• How to install and configure Apache2 (v. 2.4.29) webserver in Ubuntu 18.04!?
• How to configure one-way SSL in Apache2.
• How to configure two-way SSL using Estonian EID cards.
In addition, we configure HTTP -> HTTPS redirection.
Apache2 installation and configuration
Installation 1. Renew Ubuntu package data, in terminal run „sudo apt update“.
2. Install Apache2-e, in terminal run „sudo apt install apache2“.
Picture 1 - Apache2 installation
Configuration
Enabling SSL Enable SSL for Apache2, in terminal run „sudo a2enmod ssl“ and restart Apache2 service.
![Page 3: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/3.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 3/19
Picture 2 – Enable SSL and restart service
Certificate request Now we create certificate signing request and private key, in terminal run „openssl req -newkey
rsa:2048 -keyout OctoXPrivKey5.key -sha256 -subj "/CN=Ubuntu5.kaheksa.xi" -reqexts SAN -config
<(cat /etc/ssl/openssl.cnf <(printf
"[SAN]\nsubjectAltName=DNS:Ubuntu5.kaheksa.xi,DNS:Apache5.kaheksa.xi")) -out OctoX5.csr -
nodes”.
Picture 3 – generating private key and certificate signing request
Notes about variables with yellow background:
1. OctoXPrivKey5.key is certificate private key.
2. Octox5.csr is certificate service request.
3. Ubuntu5.kaheksa.xi is a subject name for certificate.
4. Apache5.kaheksa.xi and Ubuntu5.kaheksa.xi are certificate SAN DNS names. These names
must correspond to real website names1. And naturally the names must be resolvable in name
services.
Contents on certificate signing request file can be viewed by running „openssl req -in OctoX5.csr -
noout -text“ in terminal.
1 For example Google Chrome does not trust sites where at least one SAN DNS name is not equal to website DNS name.
![Page 4: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/4.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 4/19
Picture 4 – certificate signing request includes request for two SAN DNS names
Certificate signing request file OctoX5.csr should be sent to certificate signer (in our demo environment
it is just one test CA). As a response we get signed certificate in Base-64 encoded format that should
look like the following picture:
![Page 5: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/5.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 5/19
Picture 5 – signed certificate in text redactor
In Ubuntu the certificate looks like the following picture:
Picture 6 – certificate in Ubuntu
The certificate also includes alternative SAN DNS names:
![Page 6: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/6.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 6/19
Picture 7 - SAN DNS names
As we can see, the certificate issuer is a CA named „OctoX Root CA“. Now we need “OctoX Root CA”
certificate in Base-64 encoded format to add it to out Ubuntu/Apache2 solution as a trusted certificate.
In our example OctoX_RCA.pem is already copied to user home folder and we copy it from here to
folder /etc/ssl/certs/. In terminal run „cp OctoX_RCA.pem /etc/ssl/certs/OctoX_RCA.pem“.
Picture 8 – copying RCA certificate to certificates container
In addition, we must correctly install signed certificate and private key. Signed certificate must be in
folder /etc/ssl/certs, private key must be in folder /etc/ssl/private.
Picture 9 – installing signed certificate and private key
Now we have correctly installed all certificates and private key needed by Apache2 for one-way SSL.
Creating virtual website For SSL configuration demonstration we create separate virtual website. At first, we create home
folder for our website /var/www/Apache5.
Picture 10 – creating website home folder
Then, for testing purposes, we put a simple webpage named index.html in the folder. In our example
file /var/www/html/index.html is copied to our new folder. Then minor modifications are made in its’
heading or title to understand later it is our website.
Then we prepare virtual site configuration file, in terminal run „sudo nano /etc/apache2/sites-
available/Apache1.conf“.
![Page 7: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/7.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 7/19
Picture 11 – creating new virtual website configuration file
Now we paste the following configuration in it:
# Beginning of file
<Virtualhost Apache5.kaheksa.xi:80>
# HTTP -> HTTPS redirection
Servername Apache5.kaheksa.xi
redirect / https://Apache5.kaheksa.xi
</Virtualhost>
<VirtualHost Apache5.kaheksa.xi:443>
# General info
ServerName Apache5.kaheksa.xi:443
ServerAdmin [email protected]
DocumentRoot /var/www/Apache5
# SSL configuration
SSLEngine on
SSLCertificateFile /etc/ssl/certs/OctoX5.pem
SSLCertificateKeyFile /etc/ssl/private/OctoXPrivKey5.key
SSLCertificateChainFile /etc/ssl/certs/OctoX_RCA.pem
# Error collection configuration
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</Virtualhost>
# End of file
The new configuration should be activated by running „sudo a2ensite Apache1.conf“ in terminal. Then
restart Apache2 service. If necessary, restart Ubuntu.
![Page 8: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/8.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 8/19
Picture 12 – activating new virtual website and restarting Apache2
Now we configured our new website to use one-way SSL and all HTTP requests to our site are
redirected to HTTPS.
Picture 13 - Apache web server is working and using one-way SSL!
Note. There can be many similar virtual websites with different names in same Apache2 server with
single IP address.
Requiring two-way SSL If we want to require strong Estonian EID client certificate-based authentication, we must update our
configuration by adding following lines to our site configuration file Apache5.conf:
• SSLVerifyClient require
• SSLVerifyDepth 2
• SSLCACertificateFile /etc/ssl/certs/EID_Bundle.pem
![Page 9: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/9.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 9/19
Picture 14 – updated configuration file, SSL section
Now we create new text file named EID_Bundle.pem, which includes all active Estonian EID root- and
intermediate certificates (EE-GovCA2018, ESTEID2018, EE Certification Centre Root CA, ESTEID-SK
2015) in Base-64 encrypted format. With this file we can filter out all client certificates supported by
Apache2 web services (in other words, on client side only these client certificates are available, which
are issued by CA-s/chains listed in our file). File contents in text redactor should look like following text
block:
-----BEGIN CERTIFICATE-----
MIIE+DCCBFmgAwIBAgIQMLOwlXoR0oFbj52nmRsnezAKBggqhkjOPQQDBDBaMQsw
CQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRh
DA5OVFJFRS0xMDc0NzAxMzEVMBMGA1UEAwwMRUUtR292Q0EyMDE4MB4XDTE4MDkw
NTA5MTEwM1oXDTMzMDkwNTA5MTEwM1owWjELMAkGA1UEBhMCRUUxGzAZBgNVBAoM
ElNLIElEIFNvbHV0aW9ucyBBUzEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxFTAT
BgNVBAMMDEVFLUdvdkNBMjAxODCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAMcb
/dmAcVo/b2azEPS6CfW7fEA2KuHKC53D7ShVNvLz4QUjCdTXjds/4u99jUoYEQec
luVVzMlgEJR1nkN2eOrLAZYxPjwG5HiI1iZEyW9QKVdeEgyvhzWWTNHGjV3HdZRv
7L9o4533PtJAyqJq9OTs6mjsqwFXjH49bfZ6CGmzUJsHo4ICvDCCArgwEgYDVR0T
AQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwNAYDVR0lAQH/BCowKAYIKwYB
BQUHAwkGCCsGAQUFBwMCBggrBgEFBQcDBAYIKwYBBQUHAwEwHQYDVR0OBBYEFH4p
Vuc0knhOd+FvLjMqmHHB/TSfMB8GA1UdIwQYMBaAFH4pVuc0knhOd+FvLjMqmHHB
/TSfMIICAAYDVR0gBIIB9zCCAfMwCAYGBACPegECMAkGBwQAi+xAAQIwMgYLKwYB
BAGDkSEBAQEwIzAhBggrBgEFBQcCARYVaHR0cHM6Ly93d3cuc2suZWUvQ1BTMA0G
CysGAQQBg5EhAQECMA0GCysGAQQBg5F/AQEBMA0GCysGAQQBg5EhAQEFMA0GCysG
AQQBg5EhAQEGMA0GCysGAQQBg5EhAQEHMA0GCysGAQQBg5EhAQEDMA0GCysGAQQB
g5EhAQEEMA0GCysGAQQBg5EhAQEIMA0GCysGAQQBg5EhAQEJMA0GCysGAQQBg5Eh
AQEKMA0GCysGAQQBg5EhAQELMA0GCysGAQQBg5EhAQEMMA0GCysGAQQBg5EhAQEN
![Page 10: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/10.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 10/19
MA0GCysGAQQBg5EhAQEOMA0GCysGAQQBg5EhAQEPMA0GCysGAQQBg5EhAQEQMA0G
CysGAQQBg5EhAQERMA0GCysGAQQBg5EhAQESMA0GCysGAQQBg5EhAQETMA0GCysG
AQQBg5EhAQEUMA0GCysGAQQBg5F/AQECMA0GCysGAQQBg5F/AQEDMA0GCysGAQQB
g5F/AQEEMA0GCysGAQQBg5F/AQEFMA0GCysGAQQBg5F/AQEGMDEGCisGAQQBg5Eh
CgEwIzAhBggrBgEFBQcCARYVaHR0cHM6Ly93d3cuc2suZWUvQ1BTMBgGCCsGAQUF
BwEDBAwwCjAIBgYEAI5GAQEwCgYIKoZIzj0EAwQDgYwAMIGIAkIBk698EqetY9Tt
6HwO50CfzdIIjKmlfCI34xKdU7J+wz1tNVu2tHJwEhdsH0e92i969sRDp1RNPlVh
4XFJzI3oQFQCQgGVxmcuVnsy7NUscDZ0erwovmbFOsNxELCANxNSWx5xMqzEIhV8
46opxu10UFDIBBPzkbBenL4h+g/WU7lG78fIhA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFVzCCBLigAwIBAgIQdUf6rBR0S4tbo2bU/mZV7TAKBggqhkjOPQQDBDBaMQsw
CQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRh
DA5OVFJFRS0xMDc0NzAxMzEVMBMGA1UEAwwMRUUtR292Q0EyMDE4MB4XDTE4MDky
MDA5MjIyOFoXDTMzMDkwNTA5MTEwM1owWDELMAkGA1UEBhMCRUUxGzAZBgNVBAoM
ElNLIElEIFNvbHV0aW9ucyBBUzEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxEzAR
BgNVBAMMCkVTVEVJRDIwMTgwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAHHOBlv
7UrRPYP1yHhOb7RA/YBDbtgynSVMqYdxnFrKHUXh6tFkghvHuA1k2DSom1hE5kqh
B5VspDembwWDJBOQWQGOI/0t3EtccLYjeM7F9xOPdzUbZaIbpNRHpQgVBpFX0xpL
TgW27MpIMhU8DHBWFpeAaNX3eUpD4gC5cvhsK0RFEqOCAx0wggMZMB8GA1UdIwQY
MBaAFH4pVuc0knhOd+FvLjMqmHHB/TSfMB0GA1UdDgQWBBTZrHDbX36+lPig5L5H
otA0rZoqEjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADCCAc0G
A1UdIASCAcQwggHAMAgGBgQAj3oBAjAJBgcEAIvsQAECMDIGCysGAQQBg5EhAQEB
MCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzANBgsrBgEEAYOR
IQEBAjANBgsrBgEEAYORfwEBATANBgsrBgEEAYORIQEBBTANBgsrBgEEAYORIQEB
BjANBgsrBgEEAYORIQEBBzANBgsrBgEEAYORIQEBAzANBgsrBgEEAYORIQEBBDAN
BgsrBgEEAYORIQEBCDANBgsrBgEEAYORIQEBCTANBgsrBgEEAYORIQEBCjANBgsr
![Page 11: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/11.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 11/19
BgEEAYORIQEBCzANBgsrBgEEAYORIQEBDDANBgsrBgEEAYORIQEBDTANBgsrBgEE
AYORIQEBDjANBgsrBgEEAYORIQEBDzANBgsrBgEEAYORIQEBEDANBgsrBgEEAYOR
IQEBETANBgsrBgEEAYORIQEBEjANBgsrBgEEAYORIQEBEzANBgsrBgEEAYORIQEB
FDANBgsrBgEEAYORfwEBAjANBgsrBgEEAYORfwEBAzANBgsrBgEEAYORfwEBBDAN
BgsrBgEEAYORfwEBBTANBgsrBgEEAYORfwEBBjAqBgNVHSUBAf8EIDAeBggrBgEF
BQcDCQYIKwYBBQUHAwIGCCsGAQUFBwMEMGoGCCsGAQUFBwEBBF4wXDApBggrBgEF
BQcwAYYdaHR0cDovL2FpYS5zay5lZS9lZS1nb3ZjYTIwMTgwLwYIKwYBBQUHMAKG
I2h0dHA6Ly9jLnNrLmVlL0VFLUdvdkNBMjAxOC5kZXIuY3J0MBgGCCsGAQUFBwED
BAwwCjAIBgYEAI5GAQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL2Muc2suZWUv
RUUtR292Q0EyMDE4LmNybDAKBggqhkjOPQQDBAOBjAAwgYgCQgDeuUY4HczUbFKS
002HZ88gclgYdztHqglENyTMtXE6dMBRnCbgUmhBCAA0mJSHbyFJ8W9ikLiSyurm
kJM0hDE9KgJCASOqA405Ia5nKjTJPNsHQlMi7KZsIcTHOoBccx+54N8ZX1MgBozJ
mT59rZY/2/OeE163BAwD0UdUQAnMPP6+W3Vd
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1
MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1
czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYG
CSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIwMTAxMDMwMTAxMDMwWhgPMjAzMDEy
MTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0aWZpdHNl
ZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRyZSBS
b290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUy
euuOF0+W2Ap7kaJjbMeMTC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvO
bntl8jixwKIy72KyaOBhU8E2lf/slLo2rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIw
WFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw93X2PaRka9ZP585ArQ/d
MtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtNP2MbRMNE
![Page 12: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/12.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 12/19
1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYD
VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/
zQas8fElyalL1BSZMEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYB
BQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF
BQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+RjxY6hUFaTlrg4wCQiZrxTFGGV
v9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqMlIpPnTX/dqQG
E5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5u
uSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIW
iAYLtqZLICjU3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/v
GVCJYMzpJJUPwssd8m92kMfMdcGWxZ0=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGcDCCBVigAwIBAgIQRUgJC4ec7yFWcqzT3mwbWzANBgkqhkiG9w0BAQwFADB1
MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1
czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYG
CSqGSIb3DQEJARYJcGtpQHNrLmVlMCAXDTE1MTIxNzEyMzg0M1oYDzIwMzAxMjE3
MjM1OTU5WjBjMQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVy
aW1pc2tlc2t1czEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxFzAVBgNVBAMMDkVT
VEVJRC1TSyAyMDE1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oH6
1NDxbdW9k8nLA1qGaL4B7vydod2Ewp/STBZB3wEtIJCLdkpEsS8pXfFiRqwDVsgG
Gbu+Q99trlb5LI7yi7rIkRov5NftBdSNPSU5rAhYPQhvZZQgOwRaHa5Ey+BaLJHm
LqYQS9hQvQsCYyws+xVvNFUpK0pGD64iycqdMuBl/nWq3fLuZppwBh0VFltm4nhr
/1S0R9TRJpqFUGbGr4OK/DwebQ5PjhdS40gCUNwmC7fPQ4vIH+x+TCk2aG+u3MoA
z0IrpVWqiwzG/vxreuPPAkgXeFCeYf6fXLsGz4WivsZFbph2pMjELu6sltlBXfAG
3fGv43t91VXicyzR/eT5dsB+zFsW1sHV+1ONPr+qzgDxCH2cmuqoZNfIIq+buob3
eA8ee+XpJKJQr+1qGrmhggjvAhc7m6cU4x/QfxwRYhIVNhJf+sKVThkQhbJ9XxuK
k3c18wymwL1mpDD0PIGJqlssMeiuJ4IzagFbgESGNDUd4icm0hQT8CmQeUm1GbWe
![Page 13: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/13.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 13/19
BYseqPhMQX97QFBLXJLVy2SCyoAz7Bq1qA43++EcibN+yBc1nQs2Zoq8ck9MK0bC
xDMeUkQUz6VeQGp69ImOQrsw46qTz0mtdQrMSbnkXCuLan5dPm284J9HmaqiYi6j
6KLcZ2NkUnDQFesBVlMEm+fHa2iR6lnAFYZ06UECAwEAAaOCAgowggIGMB8GA1Ud
IwQYMBaAFBLyWj7qVhy/zQas8fElyalL1BSZMB0GA1UdDgQWBBSzq4i8mdVipIUq
CM20HXI7g3JHUTAOBgNVHQ8BAf8EBAMCAQYwdwYDVR0gBHAwbjAIBgYEAI96AQIw
CQYHBACL7EABAjAwBgkrBgEEAc4fAQEwIzAhBggrBgEFBQcCARYVaHR0cHM6Ly93
d3cuc2suZWUvQ1BTMAsGCSsGAQQBzh8BAjALBgkrBgEEAc4fAQMwCwYJKwYBBAHO
HwEEMBIGA1UdEwEB/wQIMAYBAf8CAQAwQQYDVR0eBDowOKE2MASCAiIiMAqHCAAA
AAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCcGA1Ud
JQQgMB4GCCsGAQUFBwMJBggrBgEFBQcDAgYIKwYBBQUHAwQwfAYIKwYBBQUHAQEE
cDBuMCAGCCsGAQUFBzABhhRodHRwOi8vb2NzcC5zay5lZS9DQTBKBggrBgEFBQcw
AoY+aHR0cDovL3d3dy5zay5lZS9jZXJ0cy9FRV9DZXJ0aWZpY2F0aW9uX0NlbnRy
ZV9Sb290X0NBLmRlci5jcnQwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL3d3dy5z
ay5lZS9yZXBvc2l0b3J5L2NybHMvZWVjY3JjYS5jcmwwDQYJKoZIhvcNAQEMBQAD
ggEBAHRWDGI3P00r2sOnlvLHKk9eE7X93eT+4e5TeaQsOpE5zQRUTtshxN8Bnx2T
oQ9rgi18q+MwXm2f0mrGakYYG0bix7ZgDQvCMD/kuRYmwLGdfsTXwh8KuL6uSHF+
U/ZTss6qG7mxCHG9YvebkN5Yj/rYRvZ9/uJ9rieByxw4wo7b19p22PXkAkXP5y3+
qK/Oet98lqwI97kJhiS2zxFYRk+dXbazmoVHnozYKmsZaSUvoYNNH19tpS7BLdsg
i9KpbvQLb5ywIMq9ut3+b2Xvzq8yzmHMFtLIJ6Afu1jJpqD82BUAFcvi5vhnP8M7
b974R18WCOpgNQvXDI+2/8ZINeU=
-----END CERTIFICATE-----
Copy file EID_Bundle.pem to folder etc/ssl/certs and restart Apache2 webserver, in terminal run
„systemctl reload apache2“.
After accessing website Apache5.kaheksa.xi or Ubuntu5.kaheksa.xi now, client certificate is required.
![Page 14: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/14.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 14/19
Picture 15 – client certificate request
After confirming the certificate and entering PIN we can access the website! Two-way SSL works. Good
luck!
Additional configuration options The purpose of this document is not to give exact guidance’s how to optimize or protect websites. The
main purpose is to show how is possible to configure two-way SSL and use Estonian EID cards for
authentication. However, in following section we pay attention on some options which can be useful.
Firewall rules, on demand By default, firewall is switched off on Ubuntu. But if it is on, we need to create some rules for accessing
websites on server. For Apache there are three options:
1. Apache - enables port 80
2. Apache Full – enables ports 80 and 443
3. Apache Secure – enables port 443
For creating firewall rule, run in terminal „sudo ufw allow ’RULE’“. For example enabling HTTPS traffic
only, run „sudo ufw allow ‘Apache Secure’”.
Picture 16 - Creating Apache https rules
If firewall is active running command „sudo ufw status“ in terminal shows us active rules.
![Page 15: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/15.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 15/19
Picture 17 – firewall is active and HTTPS is enabled
OCSP2 By default, configuration described above allows access to Apache2 website for all users with
certificates valid in action time. Certificate revocation status is no checked! If we want to check client
certificate revocation status using SK guaranteed OCSP service, we first need to make agreement with
them (SK). After agreement SK allows client access to guaranteed OCSP service (with address
http://ocsp.sk.ee) based on client IP address or certificate.
After getting access to the service, we must add following lines to our Apache2 virtual site SSL
configuration section:
• SSLOCSPEnable on # – enable OCSP revocation check for client certificates.
• SSLOCSPDefaultResponder http://ocsp.sk.ee # - determine OCSP service location.
• SSLOCSPOverrideResponder on # - use defined OCSP responder even if OCSP responder is
determined in client certificate.
• SSLOCSPResponderCertificateFile /etc/ssl/certs/EID_OCSP.pem – define OCSP signing
certificate in Base-64 encoded format. Today (20.02.2019) the certificate is SK OCSP
RESPONDER 2011.3
Now our SSL configuration looks like following picture:
Picture 18 - OCSP part is added to SSL configuration section
2 Client certificate revocation check is also doable with configuring certificate revocation lists (CRL). In this document we do not deal with this because we think configuring OCSP is more reasonable. 3 Instead of defining OCSP signing certificate and check it in authentication process we can skip the check by using line „SSLOCSPNoverify on“ in our Apache2 configuration. In this case client certificate only is checked against OCSP service. This configuration is not recommended for production environments.
![Page 16: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/16.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 16/19
Now we have to download OCSP signing certificate SK OCSP RESPONDER 2011 and save it in Base-64
encoded format to folder /etc/ssl/certs/ as EID_OCSP.pem.
Reload Apache2 service with command „systemctl reload Apache2“ in terminal. Now all client
certificates are checked against SK guaranteed OCSP service in authentication phase.
OCSP-AIA In addition to guaranteed (payable) OCSP service, SK offers also similar AIA-OCSP service for free. AIA-
OCSP is basically simple OCSP service with lower availability demands and less functionality. AIA-OCSP
path is included in SK user certificates:
1) Certificates issued by ESTEID-SK 2015 CA: http://aia.sk.ee/esteid2015
2) Certificates issued by ESTEID2018 CA: http://aia.sk.ee/esteid2018
Picture 19 - ESTEID-SK 2015 AIA-OCSP path in certificate
To enable client certificate revocation check against AIA-OCSP service, we need to add following lines
to our Apache2 virtual website SSL configuration section:
• SSLOCSPEnable on # – enable OCSP revocation check for client certificates.
NB!: „SSLOCSPEnable Mode leaf“ available in httpd 2.4.34 and later.
• SSLOCSPUseRequestNonce off # - turn off OCSP service nonce requirement.
![Page 17: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/17.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 17/19
Picture 20 - AIA-OCSP configuration is added to SSL section
Reload Apache2 service with command „systemctl reload Apache2“ in terminal. Now all client
certificates are checked against SK AIA-OCSP service determined in certificate in authentication phase.
Default webpage removal After Apache2 installation we have also default website installed. To remove default website run
command „sudo a2dissite 000-default.conf“ in terminal.
Picture 21 – default website removal
Restart Apache2 service with command „systemctl reload Apache2“ in terminal to apply new
configuration.
Recommended security settings for Apache
SSL/TLS Apache version 2.4 is using all SSL/TLS protocols with version higher than SSL3 by default:
Picture 22 - Apache version and SSL/TLS default configuration
In our days there is probably no need to use SSL/TLS protocols with version lower than TLS 1.2
anymore. TLS 1.2 should be lowest version; it is widely used, very stable and old! But TLS 1.3 can also
be enabled to allow optimized and modern TLS traffic.
To configure Apache to support only TLS protocol versions 1.2 and 1.3, we must add following line to
Apache configuration file: „SSLPROTOCOL -all +TLSv1.2 +TLSv1.3“.
![Page 18: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/18.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 18/19
Picture 23 – enabling only TLS versions 1.2 and 1.3 in configuration file
If we want to make the change on server level, we must modify parameter SSLPROTOCOL in the file
/etc/apache2/mods-available/ssl.conf.
Cipher suites There are many different TLS 1.2 cipher suites available with Apache version 2.4.38.4 We can list
available cipher suites in Apache with command „openssl ciphers -v“.
By default, all cipher suites responding to following requirements are enabled:
1) HIGH – some ciphers with key length 128 bits and all stronger are enabled;
2) !aNULL – ciphers not supporting authentication are disabled.
Picture 24 – server-based configuration in file /etc/apache2/mods-available/ssl.conf
By default, this configuration can be good enough; it does not contain non-secure cipher suites. There
are some published cipher suites marked as WEAK, but probably we need some of those ciphers to
support older clients.
But if we want to configure cipher suites for any reason, we can use command line SSLCIPHERSUITE in
Apache configuration file. Here we can use predefined aliases or exact cipher suite descriptions.
It is impossible to give exact recommendation for configuring cipher suites because different
environments have different requirements. And requirements and possibilities are changing in time.
Only recommendation we can give here is to remove non-secure ciphers from list if any exists.
Examples:
• Using following command line in configuration file: ’SSLCIPHERSUITE „ECDHE-RSA-AES256-
GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256“’ – we allow only two safe cipher suites.
Some older clients may not be compatible with this configuration.
• Using following command line in configuration file:’SSLCIPHERSUITE "EECDH+ECDSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH RC4 !aNULL !eNULL !LOW !3DES !MD5
!EXP !PSK !SRP !DSS !CAMELLIA256 !CAMELLIA128"’ – we create another configuration with
pretty limited set of ciphers suites, which probably supports most of clients.
4 We handle only TLS 1.2 ciphers in this chapter, because lower protocols should be disabled and everything is OK with TLS version 1.3 today.
![Page 19: Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using one-way SSL! Note. There can be many similar virtual websites with different names](https://reader034.fdocuments.in/reader034/viewer/2022042313/5ede43e5ad6a402d66699651/html5/thumbnails/19.jpg)
Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view
RIA EID Guidances https://www.ria.ee Page 19/19
Please do not take samples above as recommendation. It is just an example! Configure cipher suites
only when you are sure what you are doing. Goals can be: disabling non-secure cipher suites or
optimizing configuration by moving faster secure ciphers to the top of the list or any other.
You can also configure cipher suites on server level by modifying parameter SSLCIPHERSUITE in
file/etc/apache2/mods-available/ssl.conf.
More information about different options for configuring cipher suites can be found from article
https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
SSLHONORCIPHERORDER Important parameter related to SSLCIPHERSUITE is also SSLHONORCIPHERORDER. If this parameter
has value ON, server list of cipher suites is always preferred! By default it is not defined and default
value is OFF.
Additional possibilities In addition to TLS and cipher suite configuration there are many other things we can do to secure our
server:
• Keep operating system up to date.
• Keep Apache up to date.
• Run Apache under non-root user rights.
• Disable presenting server information.
• Remove unnecessary modules.
• Disable HTTP requests.
• Add and configure Mod Security.
• Add and configure Mod Evasive.
• Disable directory listing.
• Enable logging.
• …
Please take the list above as short demo recommendations list. Of course, it makes sense to follow the
recommendations, but there can be much more you can do to secure your server:
https://www.google.com/search?q=how+to+secure+apache+server.