Apache httpd: How to trust specific client certificates?

apache ssl certificate x509
19,565

You should configure the CA certificates you trust via SSLCACertificateFile or SSLCACertificatePath and use SSLVerifyClient (optional or required, not optional_no_ca, which wouldn't perform any authentication) to make the server request a client certificate.

If you use SSLVerifyClient directly within your VirtualHost section, the client certificate will be sent during the initial handshake. If you put it within a Directory/.htaccess, the client certificate will be re-negotiated.

It's easier to debug when the certificate is sent in the initial handshake, since the client certificate itself won't be encrypted. You should be able to see it by looking at the traffic with Wireshark (in the Certificate message sent by the client). When debugging, it's worth checking that a Certificate Request message is sent by the server, and looking at its certification authorities list.

A typical cause of problem would be a client that doesn't recognise that list or a client that doesn't send its intermediate CA certificates in its chain, if needed.

If you then want to authorise certain certificates more specifically, you can check variable SSL variables (e.g. SSL_CLIENT_S_DN_*) and use it in an SSLRequire directive (see example).

Share:
19,565
Admin
Author by

Admin

Updated on June 04, 2022

Comments

  • Admin
    Admin almost 2 years

    How can I configure the Apache httpd to trust specific client certificates?

    We need to restrict the access to a webservice to a specific (known) partner's servers.
    We planned to use an CA-based solution for this (a trusted CA which would only sign trustworthy CSRs as we accepted them); however, our company's CA will not create Certificates for external companies.

    In order to establish the secured connection anyway, until the necessary PKI is ready, we wanted to configure specific client certificates as trusted on our Apache httpd proxy.

    But httpd does not accept connections by the clients, which are trying to connect by using the client certificate, which has been added to the CACertificateFile (concatenated x509 certificates encoded in Base64 and of DER format(PEM)), configured for the virtual host.

    The client certificate is in this case not a self-signed certificate.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is the difference for x.509 certificate serial number format in brackets and not in brackets.
How to configure multiple SSL certs on Apache virtual host with aliases?
Can I be my own trusted CA via an signed intermediate certificate?
how to export private key from Godaddy certificate and use with Apache SSL
How to force Apache 2.2 to send the full certificate chain?
How to do client certificate authentication with Apache
Why is this X.509 certificate considered invalid?
HTTPS giving 404 not found error
How to configure SSL on Apache 2.4 (Windows 7)?
Configuring 2 way SSL Client authentication on Apache web server