Possible to have different SSLCACertificateFiles under different Location in Apache (client side ssl certs)
Posted
by
Mikko Ohtamaa
on Server Fault
See other posts from Server Fault
or by Mikko Ohtamaa
Published on 2012-09-15T20:58:53Z
Indexed on
2013/11/02
15:54 UTC
Read the original article
Hit count: 232
I am setting up Apache to do smartcard authentication. The smartcard login is based on client-side SSL certificates handled by an OS driver.
I have currently just one smartcard provider, but in the future there are potentially several of them. I am not sure how Apache 2.2. handles client-side certifications per Location. I did some quick testing and it somehow seemed that only the last SSLCACertificateFile directive would have been effective and this doesn't sound right.
Is it possible to have different SSLCACertificateFile per Location in Apache (2.2, 2.4) as described below or is SSL protocol somehow limiting that you cannot have more than one SSLCACertificateFile per IP?
Example potential config below how I wish to handle several SSLCACertificateFile on the same server to allow users to log in with different smartcard provides.
<VirtualHost 127.0.0.1:443>
# Real men use mod_proxy
DocumentRoot "/nowhere"
ServerName local-apache
ServerAdmin [email protected]
SSLEngine on
SSLOptions +StdEnvVars +ExportCertData
# Server-side HTTPS configuration
SSLCertificateFile /etc/apache2/certificate-test/server.crt
SSLCertificateKeyFile /etc/apache2/certificate-test/server.key
# Normal SSL site traffic does not require verify client
SSLVerifyClient none
SSLVerifyDepth 999
# Provider 1
<Location /@@smartcard-login>
SSLVerifyClient require
SSLCACertificateFile /etc/apache2/certificate-test/ca.crt
# Apache does not natively pass forward headers
# created by SSLOptions +StdEnvVars,
# so we pass them forward to Python using RequestHeader
# from mod_headers
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
</Location>
# Provider 2
<Location /@@smartcard-login-provider-2>
# For real
SSLVerifyClient require
SSLCACertificateFile /etc/apache2/certificate-test/provider2.crt
# Apache does not natively pass forward headers
# created by SSLOptions +StdEnvVars,
# so we pass them forward to Python using RequestHeader
# from mod_headers
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
</Location>
# Connect to Plone ZEO client1 running on fg
ProxyPass / http://localhost:8080/VirtualHostBase/https/local-apache:443/folder_sits/sitsngta/VirtualHostRoot/
ProxyPassReverse / http://localhost:8080/VirtualHostBase/https/local-apache:443/folder_sits/sitsngta/VirtualHostRoot/
</VirtualHost>
© Server Fault or respective owner