I have the following configuration: Apache 2.2 with SSL, MySQL, PHP 5 I made protection of one page with mutual authentication (p12 client certificate). Now - you can access the page only if you have this certificate installed in your browser. While you access the page, you are prompted only to choose certificate. But this is not enough for me. Is there way to protect using of the certificate with passphrase, I mean - everytime when apache pair connection with the client not only to as for certificate, but when you choose certificate, to force you to use pasphrase for certificate decryption. I hope you understand my question, even if my terminology is not fully correct.
UPDATE
I found this article: http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-3 But which part is that I miss. Here is my certificates configuration:
# Folders structure:
#
# cert
# |-- CA
# |
# |-- server
# | |-- certificates
# | |-- keys
# | |-- requests
# |
# |-- user
# |-- certificates
# |-- keys
# |-- requests
#
# cd to cert folder
#
define server='ServerName';
define client='ClientName';
define -i days=3650;
# CA self-signed certificate:
dd if=/dev/random of=random bs=4096 count=1 # file with randomly generated 4096 bytes
openssl genrsa -rand random -out ./CA/CA.key 4096 # generate Key
openssl req -new -key ./CA/CA.key -out ./CA/CA.csr # generate Certificate Signing Request
openssl x509 -req -days $days -in ./CA/CA.csr -out ./CA/CA.crt -signkey ./CA/CA.key # self-sign the Certificate
# Server certificate:
dd if=/dev/random of=random bs=4096 count=1 # file with randomly generated 4096 bytes
openssl genrsa -rand random -des3 -out ./server/keys/$server.key 4096 # generate Key
openssl req -new -key ./server/keys/$server.key -out ./server/requests/$server.csr # generate Certificate Signing Request
openssl ca -days $days -in server/requests/$server.csr -cert ./CA/CA.crt -keyfile ./CA/CA.key -out ./server/certificates/$server.crt # generate and sign Certificate with CA
# Client certificate:
dd if=/dev/random of=random bs=4096 count=1 # file with randomly generated 4096 bytes
openssl genrsa -rand random -des3 -out ./user/keys/$client.key 4096 # generate Key
openssl req -new -key ./user/keys/$client.key -out ./user/requests/$client.csr # generate Certificate Signing Request
openssl ca -in ./user/requests/$client.csr -cert ./CA/CA.crt -keyfile ./CA/CA.key -out ./user/certificates/$client.crt # generate and sign Certificate with CA
openssl pkcs12 -export -clcerts -in ./user/certificates/$client.crt -inkey ./user/keys/$client.key -out ./user/certificates/$client.p12 # generate P12 certificate
Or I need to setup Apache for that?
OK, I think I found it - asking for passphrase is not certificate's task, but (in current case) browser's task. In IE you can check "Enabling Strong Private Key Protection" checkbox while import the certificate. In Firefox - use Master Password. I haven't played with other browsers.
If you have more suggestions or knowledge, I will be glad to read them!