How do I require client certificates with a specific username / password in Apache?

apache-2.2 ssl authentication ssl-certificate
5,389

The error 500 is due to wrongSSLUserName syntax — it should be written without %{...}:

SSLUserName SSL_CLIENT_S_DN_CN

But actually if you want to require basic auth and certificate name to match, you should remove SSLUserName (so that mod_ssl would not touch REMOTE_USER) and use:

SSLRequire %{SSL_CLIENT_S_DN_CN} eq %{REMOTE_USER}

Another option which might work better when used in the config file directly (not in .htaccess):

RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} !=%{LA-U:REMOTE_USER}
RewriteRule ^ - [F]
Share:
5,389

Related videos on Youtube

Andrzej B.
Author by

Andrzej B.

Updated on September 18, 2022

Comments

  • Andrzej B.
    Andrzej B. over 1 year

    I have several clients certificates that my Apache httpd server requires clients to have (made using the instructions at http://www.garex.net/apache/). I would like to have an authentication that also authenticates and allows only a client certificate to match a username/password combination.

    For example, if I have two client certificates with CN user1 and user2 and .htpasswd file

    user1:passwordA
user2:passwordB

    I would like something like

    SSLUserName %{SSL_CLIENT_S_DN_CN}
AuthName "Please enter your username and password"
AuthType Basic
AuthUserFile /path/.htpasswd
require valid-user

    However, trying this results in 500 errors. What can I do?

    • Admin
      Admin about 9 years
      hi @cm007 did you manage to find a solution to this?
  • Andrzej B.
    Andrzej B. over 12 years
    I have <VirtualHost default:443> <Location /> AuthName "Please enter your username and password" AuthType Basic AuthUserFile /path/.htpasswd require valid-user SSLRequire %{SSL_CLIENT_S_DN_CN} eq %{REMOTE_USER} </Location> </VirtualHost> but this gives a 403 error, and the authentication dialog never appears to the client. If I move the four lines about auth outside of the Location tag, then Apache says AuthName not allowed here.
  • Sergey Vlasov
    Sergey Vlasov over 12 years
    Is SSLVerifyClient require also specified? You may also try a mod_rewrite variant added to the answer.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

sslv3 alert bad certificate when attempting to connect with Mail Client
Restart of nginx service fails because of /etc/nginx/nginx.conf test failure
Apache2 SSL Certificate error
Apache multiple virtual hosts with ssl certificates
How to install godaddy's ssl on apache
SSL certificates for domain without www
mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows)
How to direct Apache Basic authentication over SSL?
Possible locations of ssl.conf and httpd.conf
Apache2 fails to start with some specific SSLCipherSuite config