Configuration of web servers

Realisation of personal identification depends on the client platform used. Windows enables creation of independent authentication solutions based on the CSP of the ID-card, it is also possible to use web-based authentication. The browsers that support this include Internet explorer and Netscape, whereas Apache and IIS are among the servers with the respective support.

Also, please note the changes relating to the issue of ESTEID-SK 2007 – look HERE.

 

Longer explanation - Veiko Sinivee 

Sample script for automatic renewal of CRL-s - Reigo Küngas

The source of the first version: http://www.colleduc.ee/id.html, Taniel Kirikal

Tested with Apache 1.3.22 + mod_ssl 2.8.5 (the file locations indicated below should apply to Redhat 7.x)

• Download the SK certificates JUUR-SK, ESTEID-SK and ESTEID-SK 2007 in PEM format
• Integrate into one file:
  cat JUUR-SK.PEM.cer ESTEID-SK.PEM.cer ESTEID-SK 2007.PEM.cer > id.crt
• Copy the id.crt  into folder /etc/httpd/conf/ssl.crt
• In the SSL virtual site section of the file /etc/httpd/conf/httpd.conf, add the following row: SSLCACertificateFile  /etc/httpd/conf/ssl.crt/id.crt
• Now go to folder /etc/httpd/conf/ssl.crl and download the certificate cancellation lists:
  wget http://www.sk.ee/crls/esteid/esteid.crl
  wget http://www.sk.ee/crls/esteid/esteid2007.crl  
  wget http://www.sk.ee/crls/juur/crl.crl  
• Convert them into the PEM format:
  openssl crl -in esteid.crl -out esteid.crl -inform DER
  openssl crl -in esteid2007.crl -out esteid2007.crl -inform DER
  openssl crl -in crl.crl -out crl.crl -inform DER
• Generate hash links for the created files, using the make command.
• Add row SSLCARevocationPath /etc/httpd/conf/ssl.crl to the SSL virtual site part of the file /etc/httpd/conf/httpd.conf 
  Now, the certificates and their identification lists should be clear for the server. Renewal of cancellation lists should be carried out on a regular basis, for example by adding a corresponding script to folder /etc/cron.daily. ATTENTION! Apache must be restarted upon downloading of the new CRL (the kill –HUP is not sufficient), otherwise the new cancellation list will not be taken into use.
• Add the following rows to the .htaccess file of the folder in your SSL virtual site where you wish to use the ID-card authentication:
  (provided that the httpd.conf file of the folder has corresponding AllowOverride  AuthConfig Options) SSLVerifyClient require
  SSLVerifyDepth 3
• Restart Apache: /etc/init.d/httpd restart
• Now find a Windows machine with a smart card reader and a browser which already knows how to handle the ID-card and test the access.
• The server should now allow access to that folder only with an Estonian ID-card. At the same time the server gets access to all data in the certificate of the ID-card, for example the name, personal identity code, etc.
• Should you need the server to enter the certificate data into variables (so that they could be used in scripts), you should add something like this in the .htaccess file:
  <Files ~ "\.(cgi|shtml|php)$">
   SSLOptions +StdEnvVars +ExportCertData
  </Files>

In case the above method is used, the validity of certificates is verified by regularly downloading the cancellation lists. It is the simplest method that is sufficient for such sites where the transactions have relatively low level of importance. As the maximum interval of renewal of the cancellation lists can be up to 12 hours, it can happen that the certificates of a person have already been cancelled but information about it has not yet reached the cancellation list used by the system.

A more secure way than using the cancellation lists is to verify the validity upon each transaction by using the OCSP service that provides the most updated information about the validity in real time. However, it is somewhat complicated as the respective functionality of OpenSSL has yet to reach its final stage and is currently in beta testing phase. It has also not been integrated into mod_ssl yet. Validity verification through OCSP is naturally possible in a web application. Instructions are available here .

(The author of initial instructions: Mihkel Ütt, Seesam Elukindlustus)

For additional information, see also the description of an SSL session on the pages of Microsoft.

• Windows 2000 server, incl. Internet Information Services, service packs
• Install the Juur-SK in the web server, trusted root store
• You should also install the ESTEID-SK and ESTEID-SK 2007  certificates in the web server, intermediate CA store
• ATTENTION: Make sure that they are added to the certificate store of the Computer and not to the User level. Therefore it is wise to review the process with certmgr.msc.
• You should also install the certificate necessary for making SSL to the web server. It is probably not necessary to describe how to make the certificate (especially if done all by oneself). Setting of the SSL certificate of a particular virtual server can be done from its properties, from the Directory security sublevel.
• The same place on the virtual server level can be also used for setting the CTL (Certificate Trust List), this makes further actions and verification easier. SK certificates JUUR-SK, ESTEID-SK and ESTEID-SK 2007 must be added to the list. Enable CTL.
• In the scope of the whole site, you should choose Ignore from the Client Certificates, then the certificate is not so critical for each single page.

Let us presume that only one file is used for certificate-based authentication (logon). Create, for example, a file logon.asp and place it in the root directory. The contents of the file could be the following (VBscript -- Attention: One space should be removed from between characters < and % here and hereafter, as the content management here does not allow comment formatting in this page):

< %
If Len(Request.ClientCertificate("Subject")) = 0 Then
Response.Write("No client certificate was presented")
End if

For Each key in Request.ClientCertificate
Response.Write( key & ": " & Request.ClientCertificate(key) & "
")
Next
%>

The above script does not do anything except using one object integrated in IIS and its collection.

The file (logon.asp) should be located under the IIS Manager, choose properties, then file security and in the Secure communications, push the Edit button. Select Accept client certificates. In such a case, IIS asks for a client’s certificate, but does not mind if one is not presented to it.

The rest is relatively simple: When sending a file to a client with the Accept client certificate setting, the additional data necessary for receiving the certificate are inserted in the header, the browser should understand it positively and allow for asking-selection of the certificate.

Now the respective certificate is loaded into the web server and the built-in tools automatically verify it against the CRL. There is no way around the time of validity, whereas we have a possibility, not an obligation, to take it into account:

...
Request.ClientCertificate("VALIDFROM") > now() or Request.ClientCertificate ("VALIDUNTIL") < now()
...

CRL is, again, handled by IIS and according to my knowledge, it uses the HTTP protocol.

Now the personal identity code can be read from the respective Subject branch of the certificate:

Therefore, in order to display the square root of the personal identity code, something like this could be inserted between the rest of the HTML:

< %= Sqr(Request.ClientCertificate("Subject2.5.4.5")) %>

Pursuant to an amendment of the Identity Documents Act, the upper limit of the validity time of certificates issued to personal identity cards (the ID-cards) is 5 years since 1 January 2007. Up to that time, certificates with the time of validity of 3 years were issued to ID-cards.

Certificates are currently issued to identity cards by the SK-supervised certifier ESTEID-SK, and the validity time of its signing key terminates on 13 January 2012.

Considering the changes referred to in the first paragraph, the Certification Centre created a signing key – ESTEID-SK 2007 – for the certifier issuing certificates to identity cards on 3 January at 14:22:37, whereas its public key is given in the certificate:

Specifier	Number	Beginning of validity	End of validity	Hash (SHA1)
CN = ESTEID-SK, OU = ESTEID, O = AS Sertifitseerimiskeskus, C = EE	‎459B A00D	03.01.2007 14:22:37	26.08.2016 16:23:01	305D 9B27 3E69 8527 625B 64CC CBAF BFDB 32A6 4264

The certificate of the new certifier can be downloaded from the SC homepage http://www.sk.ee/files/ESTEID-SK 2007.pem.cer.

Pursuant to the above mentioned change, the web services that support authentication must add the above mentioned ESTEID-SK 2007 certificate to the certificate files or stores of trusted certifiers. Also the developers of special ID-card based solutions must take the change into account. The change must be taken into account also by all other applications that support authentication.

Services that use cancellation lists for verification of certificates must consider that the cancellation lists issued by ESTEID-SK 2007 are available from: http://www.sk.ee/crls/esteid/esteid2007.crl 

In addition to the change referred to above, UTF-8 encoding is used in the identifier of certificates issued by ESTEID-SK 2007. It should be noted that the UCS-2 encoding was used in certificate identifiers thus far.

If the Certificate validity confirmation service provided by the SC is used upon verification of certificates, it should be noted that the validity confirmations of ESTEID-SK 2007 certificates are signed with a key, the public key of which is in the certificate:

Certificate identifier	Number	Beginning of validity	End of validity	Hash (sha1)
CN = ESTEID-SK 2007 OCSP RESPONDER, OU = OCSP, O = ESTEID, C = EE	‎459D1A72	04.01.2007 17:17:06	08.01.2010 17:17:06	FDD7 2A93 2E8F 7B85 FCE5 6336 A109 85D7 6A2B 82BE

The validity confirmation certificate can be downloaded from the SC homepage http://www.sk.ee/files/ESTEID-SK 2007 RESPONDER.pem.cer.

In order to verify the validity confirmation, this certificate must be added to software relating to the digital signing process. More precise instructions are given on the web page of SC: http://www.sk.ee/pages.php/0202070108,1187.

In order to simplify the spread of these certificates, SC adds them to the ID-card installation software http://installer.id.ee.

The new certifier started to issue certificates to ID-cards on 13 January 2007 at 0:00.

The certifier that issued certificates to ID-cards so far will continue to receive the reception of certificate suspension, reactivation and cancellation inquiries and issuing of cancellation lists until the end of the validity period of the last certificate that it issued (in January 2012).

Viimati uuendatud: 01.06.2007