Dual authentication in webclient
Posted by Ondrej Vanek, Last modified by Ondrej Vanek on 26 July 2016 05:27 AM

Dual authentication is new feature for better security of your server-client connection.

It is very usefull if you want to protect your mail server from unauthorised access to your webclient, EAS account or other client without special client pkcs12 certificate, with defined rule whenever you will require the certificate while connecting from all or only external network. According to the fact that pkcs12 certificate generated via openssl can be also password protected, super strong and generated for each user separetely, for email signing and encryption as well, your server and all informations in users accounts can be secured as well as current connection to banking sector.

Following scenario is for your own self-signed certificate authority created in openssl on windows.
in case if you would face a problem while the certificates creations(e.g. an error when openssl is searching for something in linux) use attached installer


After installing the openssl library(choose copy OpenSSl DLLs to The Windows system directory) run openssl.exe from the install dir and create private key, self sign and import to your server trusted root CA authorities.

For automatic generation of p12 certificates from csv file for each user separately use the certificator.
For better security, tips and tricks generating the certificates search in google, for linux read following article. According to the fact that openssl is linux based, its much easier to create and handle CA there.



Steps:

-create root key

-self sign root certificate

-import root certificate into trusted root certification authorities

-set signed root.pem as trusted CA in icewarp admin console

-generate client certificate, sign it with root CA and convert to pkcs12 form.

-create rule for IP in console>web -access tab and enable checkbox require client certificate

-import pkcs12 certificate to users web browser settings/certificates/your(personal) certificates

EXAMPLES:
openssl.exe
1.to create the root key execute:

openssl> genrsa -des3 -out rootCA.key 4096 -aes-256-cbc

(-des3 command is for password encryption of the key, you will be asked for this password each time signing a csr)

2.next step is to self-sign this certificate:

openssl> req -x509 -new -nodes -key rootCA.key -days 2048 -out rootCA.pem

This will start an interactive script which will ask you for various bits of information. Fill it out as you see fit.
Once done, this will create an SSL certificate called rootCA.pem, signed by itself, valid for 2048 days, and it will act as your root certificate.
To make this certificate trusted in your server, copy the rootCA.pem elsewhere and rename it to rootCA.crt, double click it and click on install certificate,
in the import certificate wizzard choose the store for certificates, enable show physical store checkbox

and choose Trusted root certificate authorities- local computer

trusted CA
To define the self signed certificate as CA certificate in Icewarp go to console>certificates>CA certificates -click on add button

choose the rootCA.pem file and confirm, now you have defined CA certificate for your icewarp server.

(you can create and use more CA certificates together, e.g. each domain can use its own CA, so you can easily manage client certificates- at the moment the only way how to protect your server against abuse of client cert is to recreate the CA)

3.Next step is to generate client certificate, sign it with root CA and convert to pkcs12 form.
note: in case you would like to create client certificates for each user separately, for email signing and encryption, skip steps 3.-5. and instead of them follow this article

openssl> genrsa -des3 -out client.key 2048 -aes-256-cbc

4.Once the key is created, you’ll generate the certificate signing request.

openssl> req -new -key client.key -out client.csr

You’ll be asked various questions (Country, State/Province, etc.). Answer them how you see fit. The important question to answer is common-name.

Common Name (eg, YOUR name) []: your server hostname (or domain name)

(in this concrete example, you can fill as CN whatever you want, but filling hostname would add more trust to users, who would not delete the certificate as unknown during some "moment of weakness", also domain names might be usefull for managing mutliple domain server)

note: if you are planning to generate more client certificates and want to create complex certificates CA authority and managment in openssl, the CN must be unique for each certificate

5.Once that’s done, you’ll sign the CSR, which requires the CA root key.

openssl> x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 500

6.The client certificate and key must be converted to the PKCS12 format before getting imported into a client desktop's browser. To perform this conversion, complete the following procedure:

openssl> pkcs12 -export -in <Directory-Path>/<Client-Certificate-Filename> -inkey <Directory-Path>/<Client-Key-Filename> -out <Directory-Path>/<Client-PKCS12-Filename> -name "<PKCS12-Name>"

For example, to convert the /shared/exampleCA/client1.crt certificate with the /shared/exampleCA/client1.key key to the PKCS12 file named client1.p12, type the following command:

openssl pkcs12 -export -in /shared/exampleCA/client1.crt -inkey /shared/exampleCA/client1.key -out /shared/exampleCA/client1.p12 -name "client1 pkcs12"

7.Now go to icewarp console>web -double click the settings for webclient page>access and create a rule for requesting certificate from client while connecting to webclient.

access rule
this rule is filtering dual auth for connection from outside of internal network you can specify the URI, e.g. /webmail or /Microsoft-Server-ActiveSync for EAS, users would have to import the pfx/p12/pkcs12 certificate nito their devices. (to be honest, I did not test it via EAS yet)



8.On client machine insert the pkcs12 certificate into users browser -settings/certificates/your certificates import (depends on browser) or import the certificate in system via certificate import wizzard.


                                                                                                                                                       © o.vanek



Attachments 
 
 win32openssl-1_0_2d.exe (20.59 MB)
(99 vote(s))
Helpful
Not helpful

Comments (0)