This tutorial goal is to configure the Certificate Based Mutual Authentication on Apache HTTP Server. The tutorial is divided into two parts. The first part is config of Server Side HTTPS, the second part is config for the Client Side Certificate.

Step 0 (Optional, Skip it if you use external CA like GoDaddy or Veri-sign)

Config the Config file

set OPENSSL_CONF=C:\JimmyWork\Development\xampp\apache\conf\openssl.cnf

Create a CA Key

openssl genrsa -out JimmyCA.key 2048

Create a CA Pem

openssl req -x509 -new -nodes -key JimmyCA.key -days 1024 -out JimmyCA.pem

Export CA Crt to be used in Apache Server

openssl req -new -key JimmyCA.key -x509 -days 1095 -out JimmyCA.crt

Step 1, On your Server

Create a Server Key

openssl genrsa -out JimmyServer.key 2048

Create a Server Pem

openssl req -x509 -new -nodes -key JimmyServer.key -days 1024 -out JimmyServer.pem

Create a Server CSR

openssl req -new -key JimmyServer.key -out JimmyServerForSigning.csr

Step 2, On your CA, Skip it if you use external CA

Use CA Key to Sign on the CSR

openssl x509 -req -days 365 -in JimmyServerForSigning.csr -CA JimmyCA.crt -CAkey JimmyCA.key -CAcreateserial -out JimmyCASignedJimmyServer.crt

Step 3, On your Server

Copy the JimmyServer.key, JimmyServer.crt and JimmyCA.crt to the apache folders, and add the following lines in httpd-ssl.conf, in the VirtualHost section

SSLCertificateFile "conf/ssl.crt/JimmyCASignedJimmyServer.crt"
SSLCertificateKeyFile "conf/ssl.key/JimmyServer.key"
SSLCertificateChainFile "conf/ssl.crt/JimmyCA.crt"

Restart the Apache and DONE!

Step 4, Verification on you client

Before Client import the CA Certificate (For External CA, like GoDaddy, the Root Certificate is already imported.

Now, you try to import the Root CA, so that you trust all certificate signed by Root CA

Open the Advanced Settings of Browser

Manage Certificates

Import the Root CA Certificate

The Site becomes trusted now

^_^