Home / server / Questions / 428764
In Process
Mikko Ohtamaa
Asked: 2012-09-16 12:58:53 +0800 CST

Possible to have different SSLCACertificateFiles under different Location in Apache (client side ssl certs)

  • 772

I am setting up Apache to do smartcard authentication. The smartcard login is based on client-side SSL certificates handled by an OS driver.

I have currently just one smartcard provider, but in the future there are potentially several of them. I am not sure how Apache 2.2. handles client-side certifications per Location. I did some quick testing and it somehow seemed that only the last SSLCACertificateFile directive would have been effective and this doesn't sound right.

Is it possible to have different SSLCACertificateFile per Location in Apache (2.2, 2.4) as described below or is SSL protocol somehow limiting that you cannot have more than one SSLCACertificateFile per IP?

Example potential config below how I wish to handle several SSLCACertificateFile on the same server to allow users to log in with different smartcard provides.

<VirtualHost 127.0.0.1:443>

    # Real men use mod_proxy
    DocumentRoot "/nowhere"

    ServerName local-apache
    ServerAdmin [email protected]

    SSLEngine on
    SSLOptions +StdEnvVars +ExportCertData

    # Server-side HTTPS configuration
    SSLCertificateFile /etc/apache2/certificate-test/server.crt
    SSLCertificateKeyFile /etc/apache2/certificate-test/server.key

    # Normal SSL site traffic does not require verify client
    SSLVerifyClient none
    SSLVerifyDepth 999

    # Provider 1
    <Location /@@smartcard-login>
        SSLVerifyClient require

        SSLCACertificateFile /etc/apache2/certificate-test/ca.crt

        # Apache does not natively pass forward headers
        # created by SSLOptions +StdEnvVars,
        # so we pass them forward to Python using RequestHeader
        # from mod_headers
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
    </Location>

    # Provider 2
    <Location /@@smartcard-login-provider-2>
        # For real
        SSLVerifyClient require

        SSLCACertificateFile /etc/apache2/certificate-test/provider2.crt

        # Apache does not natively pass forward headers
        # created by SSLOptions +StdEnvVars,
        # so we pass them forward to Python using RequestHeader
        # from mod_headers
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
    </Location>


    # Connect to Plone ZEO client1 running on fg
    ProxyPass             / http://localhost:8080/VirtualHostBase/https/local-apache:443/folder_sits/sitsngta/VirtualHostRoot/
    ProxyPassReverse      / http://localhost:8080/VirtualHostBase/https/local-apache:443/folder_sits/sitsngta/VirtualHostRoot/

</VirtualHost>
apache-2.2

2 Answers

  1. As answered by Vlastimil Zima, you can indeed use SSLRequire for this (at least if you want/need to make a difference between the two CA's). Otherwise just combining the two certificates into one is good enough (as asked by Curtis: yes you can just combine certificates to make something like this work). And seeing your example, just combining is good enough.

    With the SSLRequire you can check the issuer (assuming the CN's are different), for example:

    <Location /locationone>
SSLRequire %{SSL_CLIENT_I_DN_CN} == "THE CN OF THE FIRST ISSUER"
</location>

<Location /locationtwo>
SSLRequire %{SSL_CLIENT_I_DN_CN} == "THE CN OF THE SECOND ISSUER"
</location>

    And for this to work, you still need to combine the 2 CA Certificates into one.

    • 4

  2. Directive SSLCACertificateFile has virtual host context, so it will affect whole Virtual Host even when inserted into Location. You need to use SSLRequire to check if client uses correct certificate for location.

    http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslrequire

    • 1