Apache httpd: How to trust specific client certificates?
You should configure the CA certificates you trust via SSLCACertificateFile
or SSLCACertificatePath
and use SSLVerifyClient
(optional
or required
, not optional_no_ca
, which wouldn't perform any authentication) to make the server request a client certificate.
If you use SSLVerifyClient
directly within your VirtualHost
section, the client certificate will be sent during the initial handshake. If you put it within a Directory
/.htaccess
, the client certificate will be re-negotiated.
It's easier to debug when the certificate is sent in the initial handshake, since the client certificate itself won't be encrypted. You should be able to see it by looking at the traffic with Wireshark (in the Certificate
message sent by the client). When debugging, it's worth checking that a Certificate Request
message is sent by the server, and looking at its certification authorities list.
A typical cause of problem would be a client that doesn't recognise that list or a client that doesn't send its intermediate CA certificates in its chain, if needed.
If you then want to authorise certain certificates more specifically, you can check variable SSL variables (e.g. SSL_CLIENT_S_DN_*
) and use it in an SSLRequire
directive (see example).
Admin
Updated on June 04, 2022Comments
-
Admin almost 2 years
How can I configure the Apache httpd to trust specific client certificates?
We need to restrict the access to a webservice to a specific (known) partner's servers.
We planned to use an CA-based solution for this (a trusted CA which would only sign trustworthy CSRs as we accepted them); however, our company's CA will not create Certificates for external companies.In order to establish the secured connection anyway, until the necessary PKI is ready, we wanted to configure specific client certificates as trusted on our Apache httpd proxy.
But httpd does not accept connections by the clients, which are trying to connect by using the client certificate, which has been added to the CACertificateFile (concatenated x509 certificates encoded in Base64 and of DER format(PEM)), configured for the virtual host.
The client certificate is in this case not a self-signed certificate.