Apache 2 client authentication

Client certificate authentication for Apache 2 is a pain. Quick cheat sheet, assuming SSL is already configured for the VirtualHost and working properly:

<Directory /path/to/directory>
  Order Allow, Deny
  Allow from All
  SSLRequireSSL
  SSLVerifyClient require
  SSLVerifyDepth x
  SSLCACertificateFile /path/to/client-ca-file.pem
</Directory>

Quick explanations of each directive:

  • SSLRequireSSL – only allows SSL’ed connections. Note this doesn’t redirect HTTP requests to HTTPS.
  • SSLVerifyClient require – server requires a valid (e.g., within validity period, issued by a trusted CA) client certificate.
  • SSLVerifyDepth x – where x is the maximum length of the certificate chain from the client certificate to the Root CA certificate.
  • SSLCACertificateFile /path/to/client-ca-file.pem – the PEM-formatted CA certificates (concatenated if there are more than one) trusted by the server that can ultimately validate the client certificate being presented. Must be self-signed (e.g., Root CA certificates) – Intermediate CA certificates, if used, aren’t specified here. (Note this directive is not used for specifying SSL Intermediate CA certificates; SSLCertificateChainFile should be used for that purpose.)

Additionally, there are other options -

  SSLOptions +FakeBasicAuth
  SSLRequire expression
  SSLCADNRequestFile /path/to/issuing-ca-file.pem

Explanations:

  • SSLOptions +FakeBasicAuth – turns the DN from the client certificate in to a HTTP basic authorisation username, with a password of ‘password’ – configure as per normal http user auth, encrypt the password with DES/MD5 as required.
  • SSLRequire expression – a complicated directive that allows for very specific access controls – e.g., requiring specific elements of the client certificate or issuer DN to match, etc. See linked documentation and examples!
  • SSLCADNRequestFile /path/to/issuing-ca-file.pem – the PEM-formatted CA certificates (concatenated if there are more than one) that directly issue client certificates; these should be sent in the SSL handshake as acceptable client certificate CA names. Very important note the certificate(s) in this file are not used for validation purposes – they are just used to send a list of acceptable CAs to the client. New in mod_ssl 2.2.something and poorly documented. Doesn’t appear to work inside of a Directory or Location section; it only seems to work in the top-level VirtualHost (which is annoying and has been submitted as a bug to Apache). I haven’t been able to make it do anything useful as yet; that said I’ve only played with it briefly so I can’t be certain if I’m doing something retarded or not.

- zac.

2009
03/04
CATEGORY
General
4 comments
    • Rolf
    • April 21st, 2009

    Hi,

    currently, I try to configure client authentication for Apache 2.2 using intermediate CAs, but it’s not yet done.
    The certs are created using an own PKI software currently under edition.

    The CA hierarchy looks like this:

    rootCA –+– ProductionCA –+– ServersCA
    | `– ClientsCA
    `– TestCA

    ServersCA issues certs for SSL servers; ClientsCA issues certs for SSL client.
    My goal: Servers should use ClientsCA to verify client certs; clients should use ServersCA to verify server certs.

    It’s also my suspicion, that directive “SSLCACertificateFile” seems to support “self-signed CAs” only.

    In Apache-documentation, directive “SSLCertificateChainFile” is described contain the cert chain for verification of server’s cert.

    I wonder where to describe which intermediate CAs should be taken to verifiy client certs (without using a root CA)?

    Perhaps you have an idea.

    Short remark:
    You wrote “…self-signed (e.g., Root CA certificates)”.
    I think it should be “…self-signed (i.e., Root CA certificates)”, because a “self-signed CA” is identical to “root CA”. Please let me know if I’m wrong.

    Regards
    Rolf

    • Rolf
    • April 21st, 2009

    Because removal of whitespaces destroyed the stucture of the CA hierarchy, here it’s again:

    rootCA — ProductionCA — ServersCA
    rootCA — ProductionCA — ClientsCA
    rootCA — TestCA

  3. Hi,

    I wonder where to describe which intermediate CAs should be taken to verifiy client certs (without using a root CA)?

    There is no such thing in Apache, which is annoying. You’re correct in your presumption that the SSLCACertificateFile directive only works with self-signed CAs; what I’ve done in your situation is to put your Root CA in that directive and then use SSLRequire statements to require that the issuer of the client certificate matches certain things (e.g., the subject is equal to something that only exists in the Clients CA in your given hierarchy).

    HTH

    - zac.

    • Rolf
    • April 24th, 2009

    Hi HTH,

    thanks for your reply. It seems I have to live using this workaround. ;-)

    Regards
    Rolf

Connect with Facebook

Advert