I have the following scenario: A central update server (running apache) is hosting update packages for different customers. Some of the packages contain license information, so customer A mustn't be able to access packages of customer B.
I want to ensure this by using client certificates. So I created a root CA (using plain openssl) and created two intermediate CA (one per customer, both directly signed by the root CA, so those are in "parallel").
I was able to configure apache in a way it requires the clients to provide a valid certificate. Unfortunately, both vHosts on the server accept certificates issued by both intermediate CAs.
How can I configure apache so it only accepts client certificates issued directly by one of both intermediate CAs?
This is one of the configuration files:
#pache ************************************
# Vhost template in module puppetlabs-apache
# Managed by Puppet
# ************************************
<VirtualHost cust2.munki.puppet.intra:443>
ServerName cust2.munki.puppet.intra
## Vhost docroot
DocumentRoot "/srv/munki/cust2.munki.puppet.intra"
## Directories, there should at least be a declaration for /srv/munki/cust2.munki.puppet.intra
<Directory "/srv/munki/cust2.munki.puppet.intra">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
## Logging
ErrorLog "/var/log/apache2/munki.puppet.intra cust2 ssl_error_ssl.log"
ServerSignature Off
CustomLog "/var/log/apache2/munki.puppet.intra cust2 ssl_access_ssl.log" combined
## SSL directives
SSLEngine on
SSLCertificateFile "/etc/ssl/cust2.munki.puppet.intra.cert.pem"
SSLCertificateKeyFile "/etc/ssl/private/cust2.munki.puppet.intra.key.pem"
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile "/etc/ssl/cust2.cert.pem"
</VirtualHost>
regards, christian
0 Answers