@ty900000 said in FOG/Apache PKI/Certificate Authentication:
I did manage to get the FOG and the CA certificate installed and functional. It took a little rewriting of the functions.sh. This made HTTPS work properly, too
Not sure if you are aware of the installing having a command line switch forcing it to setup FOG with HTTPS?! Run
./installfog.sh --force-https and it should generate the right Apache config for you as well as compile iPXE binaries with the CA cert to trust included.
@george1421 Thanks heaps for your comment on this. Neither have I been involved in developing the LDAP plugin nor have I used it myself yet. I wasn’t aware of the point that a user account is needed. From what you said I would think PKI authentication would need to be added as a plugin just as well. Probably the LDAP plugin is a good start.
There is some good information on how to grab the client certificate information within PHP (and also what is needed on the Apache side again): https://cweiske.de/tagebuch/ssl-client-certificates.htm
Now to start off you’d generate at least one client certificate:
openssl genrsa -out user1.key 4096
openssl req -new -sha512 -key user1.key -out user1.csr
The last command will ask you for certificate details like country code and most importantly
Common Name (CN) and
Email Address. Those two could be important later on in the PHP code.
Next step: Sign the certificate request using the FOG server CA.
openssl x509 -req -in user1.csr -CA ./CA/.fogCA.pem -CAkey ./CA/.fogCA.key -CAcreateserial -out user1.crt -days 3650
You end up with a PEM certificate in
user1.crt that should be importable in Firefox and other browsers.