Home / server / Questions / 335670
In Process
cm007
Asked: 2011-11-29 21:52:11 +0800 CST

How do I require client certificates with a specific username / password in Apache?

  • 772

I have several clients certificates that my Apache httpd server requires clients to have (made using the instructions at http://www.garex.net/apache/). I would like to have an authentication that also authenticates and allows only a client certificate to match a username/password combination.

For example, if I have two client certificates with CN user1 and user2 and .htpasswd file

user1:passwordA
user2:passwordB

I would like something like

SSLUserName %{SSL_CLIENT_S_DN_CN}
AuthName "Please enter your username and password"
AuthType Basic
AuthUserFile /path/.htpasswd
require valid-user

However, trying this results in 500 errors. What can I do?

apache-2.2 authentication ssl ssl-certificate

1 Answers

  1. The error 500 is due to wrongSSLUserName syntax — it should be written without %{...}:

    SSLUserName SSL_CLIENT_S_DN_CN

    But actually if you want to require basic auth and certificate name to match, you should remove SSLUserName (so that mod_ssl would not touch REMOTE_USER) and use:

    SSLRequire %{SSL_CLIENT_S_DN_CN} eq %{REMOTE_USER}

    Another option which might work better when used in the config file directly (not in .htaccess):

    RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} !=%{LA-U:REMOTE_USER}
RewriteRule ^ - [F]
    • 5