HOWTO Configure Apache for SSL with DoD CAC Authentication on Ubuntu 9.04

Posted by Scott Jarkoff in Articles, Features

, , , , , , , ,

Ubuntu LogoAdministering Linux servers is an art form not mastered by many because it is mostly command-line driven. Windows on the other hand, while a highly complex beast, has taught most administrators that configuring can be accomplished through a simple point-and-click interface.

One of the more difficult Linux tasks is properly configuring an Apache web server – the sheer power Apache can wield is evident in the exponential number of configuration options available. Setting up Apache on Linux for SSL-based DoD Common Access Card (CAC) authentication is pure freaking magic. Learn how to configure an Ubuntu Linux 9.04 (Jaunty Jackalope) server to perform this much-needed functionality!

The Department of Defense has been slowly migrating away from software-based certificates in favor of two-factor authentication using the DoD CAC. As a general rule, DoD favors Microsoft over open source software (OSS) because of the support channels. It is for this reason most DoD web servers use Microsoft IIS – configuring CAC authentication on an IIS web server is relatively simple.

The following guide makes a number of assumptions. Namely:

  • You are fairly skilled at Linux administration (ie. this is not your first Linux install, much less Apache install).
  • Ubuntu Server 9.04 has been installed and patched with all outstanding security patches.
  • Apache and OpenSSL have already been installed.

This guide is not designed to explain how to get Apache and SSL installed on an Ubuntu 9.04 (Jaunty Jackalope) server. What it covers is enabling CAC authentication on an already running Apache server on top of Ubuntu 9.04.

These steps cover Ubuntu 9.04 (Jaunty Jackalope) and should work without issue on a fresh installation of Ubuntu, Apache and OpenSSL without customization. If you have modified the defaults then you are obviously skilled enough to make the necessary determinations about how to make this work in your environment.

Incidentally, while this HOWTO was written with Ubuntu 9.04 (Jaunty Jackalope) in mind, most of the steps should work on any Ubuntu release or any other Linux distro. Just ensure you account for the nuances of your distro when modifying the files specified below.

HOWTO – Configuring Apache for SSL with DoD CAC Authentication on Ubuntu 9.04

  1. Login to server via SSH or console.
  2. Open up a web browser and surf to http://dodpki.c3pki.chamb.disa.mil/rootca.html to see the links to the three DoD Class 3 PKI root CA certificates.
    # wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_1024.cac
    # wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.cac
    # wget http://dodpki.c3pki.chamb.disa.mil/dodeca.cac
  3. The files downloaded directly from DISA are not in a format comprehensible by Apache and thus need to be converted to the Privacy Enhanced Mail (PEM) format. PEM is a Base64 encoded DER certificate in text format and is sometimes represented as a CRT file. Perform the following commands to convert the P7B files to the PEM format.
    # openssl pkcs7 -inform DER -outform PEM -in rel3_dodroot_1024.p7b -out rel3_dodroot_1024.pem -print_certs
    # openssl pkcs7 -inform DER -outform PEM -in rel3_dodroot_2048.p7b -out rel3_dodroot_2048.pem -print_certs
    # openssl pkcs7 -inform DER -outform PEM -in dodeca.p7b -out dodeca.pem -print_certs
  4. To force CAC authentication Apache requires a single file containing all CA certificates. Perform the following commands to merge the root files in to a single file.
    # cp rel3_dodroot_1024.pem dod-root-certs.pem
    # cat rel3_dodroot_2048.pem >> dod-root-certs.pem
    # cat dodeca.pem >> dod-root-certs.pem
  5. Install the certificates in the SSL subsystem.
    # cp rel3_dodroot_1024.pem /etc/ssl/certs/
    # cp rel3_dodroot_2048.pem /etc/ssl/certs/
    # cp dodeca.pem /etc/ssl/certs/
    # cp dod-root-certs.pem /etc/ssl/certs/
  6. If you have not already created a private key to be used by the server then perform the following to do so.
    # openssl genrsa -out your-server-name.pem 1024
    # cp your-server-name.pem /etc/ssl/certs/
  7. Create a Certificate Signing Request (CSR) based on your private key in order to request an official server certificate signed by the DoD root CA.
    # openssl req -new -key your-server-name.pem -out your-server-name.csr

    • Organization Name: DISA ou=PKI ou=DoD
    • Organizational Unit: U.S. Government
    • Common: fully qualified domain name (ie. server.domain.mil)
    • Country: Blank (may have to use two spaces)
    • State: Same as Country.
    • Locality: Same as Country.
    • Surf to https://ca-17.c3pki.chamb.disa.mil/ca/ to formally request an official certificate signed by the DoD root CA. Follow the proper links to request the server cert using the .csr file from the previous step – it will be necessary to paste the contents of the previously saved file in to the respective form field during this step.
    • Note: Based on your agency or affiliation with DoD you may be required to perform additional steps outside of visiting the DISA certificate request process. Check with your Local Registration Authority (LRA) for further details.
    • Once the server certificate is issued, copy the entire contents of the certificate and paste in a new file (ie. your-server-name.crt) on the server.

    # cp your-server-name.crt /etc/ssl/certs/

  8. Configure Apache for SSL using the DoD certificate chain and to authenticate a DoD CAC using the following configuration options.
    # sudo vi /etc/apache2/sites-available/default-ssl
    Ensure the following configuration options are set.
    SSLVerifyClient require
    SSLVerifyDepth 2
    SSLCertificateFile /etc/ssl/certs/your-server-name.crt
    SSLCertificateKeyFile /etc/ssl/certs/your-server-name.pem
    SSLCACertificateFile /etc/ssl/certs/dod-root-certs.pem
  9. Restart Apache and test configuration to ensure CAC authentication is taking place.
    # sudo /etc/init.d/apache2 restart
  10. Surf to https://your-server-name.domain.mil/ to ensure you can establish an SSL connection with your server and that you are prompted for your CAC personal identification number.
  11. Automatically redirect all regular port 80 requests to the SSL-enabled Apache vhost.
    # mv /etc/apache2/sites-available/default /etc/apache2/sites-available/default-original
    # sudo vi /etc/apache2/sites-available/default

    Paste the following in to the file:

    <virtualhost *:80>
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
    </virtualhost>

  12. Restart Apache and you should be good to go!

At this juncture you should have a completely working Apache and SSL enabled Linux web server designed to force-authenticate a user via their CAC. There is no fallback mechanism for authentication – no user will be asked to provide a username and password. If the CAC authentication fails then the user is not allowed to view the site. It is as simple as that.

Hopefully this HOWTO helps someone out there in DoD IT-land. There is not a lot of information on the web about securing Apache for CAC authentication. Piecemealing this HOWTO together was quite troublesome but fun nonetheless!

  • May 4, 2009
  • 15

15 comments

  1. Matthew

    worked great apache2.2 Solaris 10 x86

    May 7, 2009 @ 23:19

  2. CrimsonKnight13

    Excellent article. Helped solve my dilemma. Thanks!

    May 15, 2009 @ 03:26

  3. eddiepetosa

    Will this work on other versions of Ubuntu? Or is there another tutorial for that?
    Eddie Petosa
    ssl certificates

    September 13, 2009 @ 17:40

    • Scott Jarkoff

      There is no reason why this will not work on other versions of Ubuntu. You may need to adjust a thing or two but for the most part everything should work as listed above.

      September 19, 2009 @ 06:46

  4. redskinsone

    Is Step #7 above required — does your server cert need to be issued by the DoD ? Can it just be a self-signed or issued by VeriSign?

    September 18, 2009 @ 21:08

    • Scott Jarkoff

      Based on DoD policy, the cert needs to be issued by DISA. Self-signed certs, while fine for testing are not valid for everyday use.

      September 19, 2009 @ 06:45

  5. elitz

    Scott: you mentioned somewhere in your notes experimenting with using dod cac's on a non-DOD server (not on any of the military domains). I'm attempting to read cac cards on a non-DOD server. Happens to be a windows server..so not exactly relevant to above aritlce, but none the less i thought i'd ask in case you had any insight into this subject. thanks.

    December 9, 2009 @ 04:02

    • Scott Jarkoff

      I can't imagine it being any different though I would wonder why you would need to read CAC's from a non-DoD server. In any case, since it's Windows I expect you would have to use Tumbleweed and possibly ActiveCard, though I honestly have no experience in that arena (ie. setting up a Windows server to authenticate DoD CAC's).

      December 10, 2009 @ 07:01

  6. xw0rm

    OK, so I have already done this, but there is a new dodeca2.cac cert listed on the DISA web site (making the total number of root certs four now, instead of three). How does one add this in?

    December 18, 2009 @ 05:32

    • Chad

      Does any currently use DoD CAC and DoD ECA PKI both on the same site?

      January 5, 2010 @ 19:24

  7. Chad

    Does any currently use DoD CAC and DoD ECA PKI both on the same site?

    January 6, 2010 @ 04:24

  8. Matthew

    Have messed with the CRL files at all? Looks like they not in a format mod_ssl likes.

    March 3, 2010 @ 00:36

    • matthew

      openssl crl -in DOD_CA-13.crl -inform DER -out DOD_CA-13.crl -outform PEM
      Nevemind this works

      March 3, 2010 @ 00:55

  9. Mark Loper

    Have you tried integrating with ocsp.disa.mil? I came across your blog while trying to find anyone who has done this successfully. I’m running outside the domain, so that may be the problem. The CAC tells the server to use ocsp, but I can’t tell if it’s even running out there. The server doesn’t seem to respond, but I’m not sure if it should either. thoughts?

    January 4, 2011 @ 13:46

  10. Ralford100

    For RedHat, as of 1/26/2012:

    1) Get the certificates from the DOD:# wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.p7b# wget http://dodpki.c3pki.chamb.disa.mil/dodeca.p7b# wget http://dodpki.c3pki.chamb.disa.mil/dodeca2.p7b

    2) Convert to Apache format:# openssl pkcs7 -inform DER -outform PEM -in rel3_dodroot_2048.p7b   -out rel3_dodroot_2048.pem -print_certs# openssl pkcs7 -inform DER -outform PEM -in dodeca.p7b -out dodeca.pem -print_certs# openssl pkcs7 -inform DER -outform PEM -in dodeca2.p7b -out dodeca2.pem -print_certs

    3) Consolidate them into one file:# cat dodeca2.pem dodeca.pem rel3_dodroot_2048.pem > dod-root-certs.pem

    4) Put them all into certs file:cp dodeca2.pem dodeca.pem rel3_dodroot_2048.pem dod-root-certs.pem /etc/pki/tls/certs

    5) Modify Apache Configuration file (/etc/httpd/conf.d/ssl.conf) by setting the following:SSLVerifyClient requireSSLVerifyDepth 2SSLCertificateFile /etc/ssl/certs/.crtSSLCertificateKeyFile /etc/ssl/certs/.pemSSLCACertificateFile /etc/ssl/certs/dod-root-certs.pem

    6) Restart Apache: service https restart

    January 26, 2012 @ 14:39

TechMiso © Copyright 2013. All Rights Reserved.

Designed & developed by We Are Pixel8.

Back to Top