This howto describes the process of using Apache and SSL with trusted clients, via Pre Shared Keys. Unlike the usual way of using SSL, this setup requires the server _and_ the client to have valid certificates. This means you need to create a client certificate and deliver it securely to the client.
1. Enable SSL.
sudo a2enmod ssl
2. Generate a private key without a passphrase,
openssl genrsa -out server.key 1024
or with a passphrase.
openssl genrsa -des3 -out server.key 1024
3. Create a certificate signing request.
openssl req -new -key server.key -out server.csr
4. Sign it yourself.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
5. Copy your new certificate and keys to the appropriate places.
sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private
6. Edit your apache site configuration, add these lines into a VirtualHost section.
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/ssl/certs/server.crt
7. Create a certificate which you can give to a client, or a group of clients.
openssl pkcs12 -export -out client_cert.pfx -in server.crt -inkey server.key\
-name 'Certificate Name'
8. Make sure the client gets the client_cert.pfx file, which they install into their browser.
9. To use the client_certificate.pfx in a python httplib or httplib2, it needs to be split into a key and certificate file.
openssl pkcs12 -clcerts -nokeys -in client_cert.pfx -out client_cert.pem
openssl pkcs12 -nocerts -in client_cert.pfx -out client_key.pem
10. Strip the pass phrase from client_key.pem so Python does not prompt for a pass phrase!
openssl rsa -in client_key.pem -out unsecured_client_key.pem