I need an Apache server to offer multiple vhosts. Every vhost should only be accessible by one customer. To clear it up, I'll make a small example:
- vhost1: Servername: cust1.example.com
- vhost2: Servername: cust2.example.com
Now, only hosts from customer1 shoud be able to access vhost1 and only hosts from customer2 should be able to access vhost2. Here is what I did so far:
- Set up a CA using openxpki (works)
- Created a certificate for every vhost and configured the vhosts appropriately (works)
- Imported the root certificate of the CA into server and clients (works)
- Tested if Client-SSL-Auth works without filtering. (Works)
But now I can't get the filtering to work. I would like to filter for the CN in the certificates. For vhost1 this would be that all certificates with a CN of "*.cust1.example.com" would be allowed to access the ressource. How can I achieve this?
Bonus: Would be great to be abble to manage the change with puppet
Regards, Christian
It might be easier to create one (intermediate or root) CA per customer, and use that to issue certificates for each customer
You would then configure each vhost to require the clients provide a certificate, and ensure the appropriate CA was used to validate their certificates (e.g. SSLCACertificateFile would be unique per customer/vhost/domain).
A less file/CA-heavy approach (but one possibly more prone to errors) might involve a single client CA, and using SSLRequire to match the O(rganisation) or OU fields set in client certs (it avoids needing to have a CN for a person that looks like 'Bob Smith.the.customer.domain.tld').
See https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslrequire for details.