kerattila / laravel-x509-auth
X509 Authentication integration for Laravel.
Requires
- php: >=7.4.0
- ext-openssl: *
- illuminate/support: ^6.0|^7.0|^8.0|^9.0|^10.0
Suggests
- spatie/ssl-certificate: The class provided by this package makes it incredibly easy to query the properties on an ssl certificate.
README
This package allow you to generate root certificates and signed certificates for various purposes (eg. Authentication).
Install and configure
You can install the package via composer:
composer require kerattila/laravel-x509-auth
Publish the config file by running:
php artisan vendor:publish --provider="Kerattila\X509Auth\X509AuthServiceProvider"
After publishing configuration file, adjust the values accordingly your needs:
<?php return [ 'workdir' => base_path(), // This should be pointed to the user class 'user_class' => \App\User::class, // In case if you want to extend the original certificate class 'certificate_class' => \Kerattila\X509Auth\Certificate\ClientCertificate::class, 'middleware' => [ // Enable or disable middleware 'enabled' => true, 'rules' => [ /** SSL parameter === user field */ 'SSL_CLIENT_M_SERIAL' => 'username', 'SSL_CLIENT_S_DN_Email' => 'email' ], // Automatically log in the user if certificate matches a user 'auto_login' => true ], 'root_ca' => [ 'private_key_name' => 'root_ca_private', // Root cetificate private key name 'public_key_name' => 'root_ca_public', // Root certificate public key name 'numbits' => 2048, // Numbits 'days' => 365, // The validity time for the ROOT CA /** This will be converted to SSL subject /C=RO/ST=Mures/L=Targu Mures/O=ACME Corporation/CN=domain.com */ 'subject' => [ 'C' => 'RO', // 2 letter country code 'ST' => 'Mures', // State 'L' => 'Targu Mures', // Locality 'O' => 'ACME Corporation', // Organzization 'CN' => 'domain.com' // Common name ] ], 'signed_cert' => [ 'private_key_name' => 'private', // Private key name 'public_key_name' => 'public', // Public key name 'csr_key_name' => 'csr', // CSR (Certificate Sign Request) file name 'numbits' => 2048, 'days' => 365, // Validity of the certificate /** This will be converted to SSL subject /C=RO/ST=Mures/L=Targu Mures/O=ACME Corporation/CN=domain.com */ 'subject' => [ 'C' => 'RO', // 2 letter country code 'ST' => 'Mures', // State 'L' => 'Targu Mures', // Locality 'O' => 'ACME Corporation', // Organzization 'OU' => 'IT Department', // Organizational unit 'CN' => 'domain.com', // Common name 'emailAddress' => 'email@domain.com', // Email address ], // SAN - Subject alternative names 'alt_names' => [ 'domain.com', 'domain.net', 'domain.eu' ] ] ];
How to use
Apache configuration:
SSLVerifyClient require # This line will force to have a valid; Leave this out if SSL is optional to log in SSLVerifyDepth 10 # Maximum depth for certificate check SSLCACertificateFile {DOCROOT_CLIENT}/ssl/rootCA.crt.pem # Point this to the Root CA Private key SSLOptions +StdEnvVars # Creates the standard set of CGI/SSI environment variables that are related to SSL
Middleware:
Add the \Kerattila\X509Auth\Middleware\X509::class middleware class to your application kernel:
namespace App\Http; use Illuminate\Foundation\Http\Kernel as HttpKernel; class Kernel extends HttpKernel { /** * The application's global HTTP middleware stack. * * These middleware are run during every request to your application. * * @var array */ protected $middleware = [ \Kerattila\X509Auth\Middleware\X509::class, ... ]; }
Commands
Root certificate can be generated by running this command:
php artisan x509auth:generate:root-ca {--dir=} {--private=} {--public=}
Signed certificate can be generated by running a similar command:
php artisan x509auth:generate:signed-certificate {--dir=} {--private=} {--public=} {--csr=} {--root-private=} {--root-public=} {--email=}
During certificate generation you will be asked to provide (optionally) a password to protect the certificate.
Note: All options are optional, fallback values are defined in the config file.