TL;DR
This guide shows you how to automatically log in to websites using SSL certificates instead of usernames and passwords. This is more secure and convenient, especially for services you access often.
Prerequisites
- A valid SSL certificate installed on your server or client machine.
- Access to the website’s configuration files (e.g., Apache, Nginx).
- Basic understanding of command line interface (CLI) and text editors.
Steps
- Configure your Web Server
- For Apache, enable SSL module:
sudo a2enmod sslRestart Apache:
sudo systemctl restart apache2 - For Nginx, ensure the `ssl_module` is loaded in your configuration file (usually in `/etc/nginx/nginx.conf`). Restart Nginx:
sudo systemctl restart nginx
- For Apache, enable SSL module:
- Create a Client Certificate
You’ll need to generate a client certificate and key pair. Use OpenSSL:
openssl req -x509 -newkey rsa:4096 -nodes -keyout client.key -out client.crt -days 365This creates two files:
client.key(your private key – keep this safe!) andclient.crt(the certificate you’ll install in your browser). - Install the Client Certificate in Your Browser
- Chrome/Edge: Settings > Privacy and security > Security > Manage device certificates > Import. Select
client.crtand follow prompts. - Firefox: Preferences > Privacy & Security > Certificates > View Certificates > Authorities > Import. Select
client.crtand check the box for ‘Trust this certificate for identifying websites’.
- Chrome/Edge: Settings > Privacy and security > Security > Manage device certificates > Import. Select
- Configure Website to Require Client Authentication
- For Apache, edit your virtual host configuration file (e.g., `/etc/apache2/sites-available/your_site.conf`). Add the following within the <VirtualHost> block:
<Directory /var/www/your_site> SSLRequireClient on </Directory> - For Nginx, edit your server configuration file (e.g., `/etc/nginx/sites-available/your_site`). Add the following within the `server` block:
ssl_client_certificate /path/to/your/ca.crt; verify_client on;
- For Apache, edit your virtual host configuration file (e.g., `/etc/apache2/sites-available/your_site.conf`). Add the following within the <VirtualHost> block:
- Restart Web Server
After making changes to the configuration, restart your web server (as in Step 1).
- Test the Login
Access your website via HTTPS. Your browser should now prompt you to select a client certificate for authentication. Choose the one you installed.
Troubleshooting
- Browser Doesn’t Prompt: Double-check that the client certificate is correctly installed and trusted in your browser settings. Ensure the web server configuration requires client authentication.
- Authentication Fails: Verify the CA certificate path in Nginx configuration. Check server logs for errors related to SSL/TLS handshake.