I am setting up Apache to do smartcard authentication. The smartcard login is based on client-side SSL
certificates handled by an OS driver.
I have currently just one smartcard provider, but in the future there are potentially several of them. I am not sure how Apache 2.2. handles client-side certifications per Location. I did some quick testing and it somehow seemed that only the last SSLCACertificateFile directive would have been effective and this doesn't sound right.
Is it possible to have different SSLCACertificateFile per Location in Apache (2.2, 2.4) as described below or is SSL protocol somehow limiting that you cannot have more than one SSLCACertificateFile per IP?
Example potential config below how I wish to handle several SSLCACertificateFile on the same server to allow users to log in with different smartcard provides.
<VirtualHost 127.0.0.1:443>
# Real men use mod_proxy
DocumentRoot "/nowhere"
ServerName local-apache
ServerAdmin
[email protected]
SSLEngine on
SSLOptions +StdEnvVars +ExportCertData
# Server-side HTTPS configuration
SSLCertificateFile /etc/apache2/certificate-test/server.crt
SSLCertificateKeyFile /etc/apache2/certificate-test/server.key
# Normal SSL site traffic does not require verify
client
SSLVerifyClient none
SSLVerifyDepth 999
# Provider 1
<Location /@@smartcard-login>
SSLVerifyClient require
SSLCACertificateFile /etc/apache2/certificate-test/ca.crt
# Apache does not natively pass forward headers
# created by SSLOptions +StdEnvVars,
# so we pass them forward to Python using RequestHeader
# from mod_headers
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
</Location>
# Provider 2
<Location /@@smartcard-login-provider-2>
# For real
SSLVerifyClient require
SSLCACertificateFile /etc/apache2/certificate-test/provider2.crt
# Apache does not natively pass forward headers
# created by SSLOptions +StdEnvVars,
# so we pass them forward to Python using RequestHeader
# from mod_headers
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
</Location>
# Connect to Plone ZEO client1 running on fg
ProxyPass / http://localhost:8080/VirtualHostBase/https/local-apache:443/folder_sits/sitsngta/VirtualHostRoot/
ProxyPassReverse / http://localhost:8080/VirtualHostBase/https/local-apache:443/folder_sits/sitsngta/VirtualHostRoot/
</VirtualHost>