Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time, being a default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS).
By default the TLS protocol only proves the identity of the server to the client using X.509 certificate and the authentication of the client to the server is left to the application layer. TLS also offers client-to-server authentication using client-side X.509 authentication. As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it’s rarely used in end-user applications.
Mutual TLS authentication (mTLS) is much more widespread in business-to-business (B2B) applications, where limited number of programmatic and homogeneous clients is connecting to specific web services, the operational burden is limited and security requirements are usually much higher as compared to consumer environments. wikipedia
Debian
Create a new directory where we can store the private keys and certificates
sudo su
mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
Generate a self-signed certificate CA
openssl req -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 365 -outform PEM -out ca.cer
Generate private SSL key for the server
openssl genrsa -out server.key 2048
Generate Certificate Signing Request in PKCS#10 format
openssl req -new -key server.key -out server.req
Issue server certificate with serial number 100
openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extensions server -days 365 -outform PEM -out server.cer
server.req is not needed any more
rm server.req
Generete private key for SSL client
openssl genrsa -out client.key 2048
Generate Certificate Signing Request for client
openssl req -new -key client.key -out client.req
Issue a client certificate with serial number 101
openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out client.cer
Save client’s private key and certificate in a PKCS#12 format
openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
Enter a challenge password
Files client.key, client.cer and client.req are no longer needed
rm client.key client.cer client.req
Edit SSL configuration file
sudo nano /etc/apache2/sites-available/default-ssl.conf
Locate and uncomment the following lines
SSLVerifyClient require SSLVerifyDepth 10 SSLCACertificateFile /etc/apache2/ssl/ca.cer
Locate and edit the following lines
SSLCertificateFile /etc/apache2/ssl/server.cer SSLCertificateKeyFile /etc/apache2/ssl/server.key
