Digital Certificate Authentication & Signing

TL;DR

This guide shows you how to set up authentication and digital signing using certificates. It covers generating a certificate, configuring your server (Apache example), and verifying signatures.

Generating a Certificate

1. Create a Key Pair: Use OpenSSL to create a private key and a Certificate Signing Request (CSR).

   openssl req -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

   Fill in the prompts carefully – the Common Name must match your domain name.

2. Self-Sign (for testing): For a production environment, get your CSR signed by a Certificate Authority (CA). For testing, you can self-sign it. Be aware that browsers will warn users about self-signed certificates.

   openssl x509 -req -days 365 -in yourdomain.csr -signkey yourdomain.key -out yourdomain.crt

3. Certificate Files: You’ll now have two important files:
   • yourdomain.key: Your private key – keep this secret!
   • yourdomain.crt: Your certificate file.

Configuring Apache for Certificate Authentication

1. Enable SSL Module: Make sure the SSL module is enabled in your Apache configuration.

   sudo a2enmod ssl

2. Create Virtual Host File: Create or edit your virtual host file (e.g., /etc/apache2/sites-available/yourdomain.conf).
3. Configure SSL Virtual Host: Add an SSL virtual host block similar to this:

   <VirtualHost *:443>
       ServerName yourdomain.com
       DocumentRoot /var/www/yourdomain
       SSLEngine on
       SSLCertificateFile /etc/ssl/certs/yourdomain.crt
       SSLCertificateKeyFile /etc/ssl/private/yourdomain.key
       </VirtualHost>

   Replace yourdomain.com with your actual domain and the paths to your certificate files.

4. Restart Apache: Restart Apache to apply the changes.

   sudo systemctl restart apache2

Digital Signing (Example using OpenSSL)

1. Sign Data: Use OpenSSL to sign data with your private key.

   openssl dgst -sha256 -sign yourdomain.key -out signature.sig data.txt

   This creates a signature.sig file containing the digital signature for data.txt.

2. Verify Signature: Use OpenSSL to verify the signature using your certificate.

   openssl dgst -sha256 -verify yourdomain.crt -signature signature.sig data.txt

   If the verification is successful, you’ll see “Verified OK”. If it fails, something is wrong (e.g., the data has been tampered with, or the wrong key/certificate was used).

Important Security Considerations

• Protect Your Private Key: The private key is crucial. Store it securely and restrict access to it. Never share your private key.
• Use a Strong Algorithm: SHA256 or stronger hashing algorithms are recommended for signing.
• Certificate Authority (CA): For production environments, always use a trusted Certificate Authority to sign your certificates. Self-signed certificates should only be used for testing.
• Regularly Renew Certificates: Certificates expire. Set reminders to renew them before they do.