Home / server / Questions / 577835
In Process
Lisek
Asked: 2014-02-25 02:42:44 +0800 CST

Apache SSL Certificate and Basic Auth combination - password if no certificate

  • 772

Is it possible, to force apache to ask for password only if user don't have client-certificate installed?

I'm almost sure, that this is possible, but I'm not able to find any confirmation anywhere.

Is it possible to configure apache to act like this:

If user will have client-certificate - apache will allow connection to webpage without any problem or question. If user-certificate on the client-side will not be available, it will ask for basic auth authentication - so it will ask for password?

How to configure it? I'm fighting this since morning without any solution even to just stick to it.

apache-2.2

1 Answers

  1. Here is a script to get the entries for the password file from the certificates: (see also https://serverfault.com/posts/747107)

    In the .fakehttpsauth you need to put entries like:

    /C=US/ST=CA/O=Doe Inc/CN=John Doe/[email protected]:xxj31ZMTZzkVA

    Here is a script to create such entries from your certificates:

    #!/bin/bash
# export the certificates in fake auth format
# see https://serverfault.com/questions/533639/apache-authentication-with-ssl-certificate-and-sslusername
# WF 2016-01-06
fakepass=`openssl passwd -crypt -salt xx password`
for c in *.crt 
do
  openssl x509 -in $c -text  | grep Subject: | gawk -v fakepass=$fakepass '
BEGIN { FS="," }
{ 
  gsub("Subject: ","",$0)
  for (i=1;i<=NF;i++) {
    f=trim($i)
    printf("/%s",f);
  }
  printf(":%s\n",fakepass);
}

# see https://gist.github.com/andrewrcollins/1592991
function ltrim(s) { sub(/^[ \t\r\n]+/, "", s); return s }
function rtrim(s) { sub(/[ \t\r\n]+$/, "", s); return s }
function trim(s)  { return rtrim(ltrim(s)); }
'
done
    • 1