Home / server / Questions / 497297
Accepted
Ency
Asked: 2013-04-09 07:17:22 +0800 CST

Is it possible to allow only some client certificates in Apache to login?

  • 772

In my virtual host I have something like that:

    SSLEngine on
    SSLCertificateKeyFile /etc/apache2/ssl/svn.XXXXX.me.key
    SSLCertificateFile /etc/apache2/ssl/svn.XXXXX.me.crt
    SSLProtocol all
    SSLCipherSuite HIGH:MEDIUM
    SSLVerifyClient require
    SSLCACertificateFile /etc/ssl/certs/ICA-Standart.0

So far, I can use any certificate issued by CA "ICA-Standart.0" to log in, but I would like to specify kind of white list and only some certificates will be allowed to log in, is that possible?
If so, which directive should I look?

Also please note the CA is a public certification authority.

apache-2.2

1 Answers

  1. Best Answer

    You need to use the SSL_CLIENT_S_* directives:

    
    Require              ssl
    Require              ssl-verify-client
    SSLRequireSSL
    SSLOptions           +FakeBasicAuth +StrictRequire
    SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 256
    SSLRequire           %{SSL_CLIENT_S_DN_O} eq "Company, LTD." \
                         and %{SSL_CLIENT_S_DN_OU} eq "Development" \
                         and %{SSL_CLIENT_S_DN_CN} in {"John Doe", "Jane Doe", "Other One"}
    SSLRenegBufferSize   131072
    Further reference can be found in the Apache documentation.

    • 5