Apache Implementation Guide

Guide to implementing Digi-Access™ on Apache 1.3 (mod_ssl) Web Server

Client Certificate Authentication (part IV)

For more information about the above directive, visit the Apache home website (http://www.apache.org) or contact Digi-Sign Support at support@digi-sign.com

- Some Apache versions, depending if you are implementing a CGI application with
Digi-Access™ may require the following directive to be present:

    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

Client Certificate Authentication

The expression must match the following syntax (given as a BNF grammar notation):

      expr ::= "true" | "false"
      | "!" expr
      | expr "&&" expr
      | expr "||" expr
      | "(" expr ")"
      | comp

      comp ::= word "==" word | word "eq" word
      | word "!=" word | word "ne" word
      | word "<" word | word "lt" word
      | word "<=" word | word "le" word
      | word ">" word | word "gt" word

Client Certificate Authentication

Configuring Apache 1.3 for Digi-Access™ Client Certificate Authentication

To configure Apache, do:

- Open for editing the httpd.conf Apache configuration file
- Locate the Virtual Host section for your SSL secured site

Enabling Client Certificate Authentication on Apache web server

To enable Client Certificate Authentication on Apache 1.3 you will need to obtain your own Digi-ID™ Client Certificate, Certification Authority Certificate Chain (CA Chain) and setup Authentication Rules using the httpd.conf file and Apache configuration directives.

2.1 Obtaining the Digi-Sign Certification Authority Certificate Chain

Installing your Digi-SSL™ Certificate

You will receive 2 Certificates from Digi-Sign. When viewed in a text editor, these certificates will look something like:

    -----BEGIN CERTIFICATE-----
    MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXAhAF
    UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMSAw
    (.......)
    E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6
    K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA
    -----END CERTIFICATE-----

Enabling SSL communication security on Apache 1.3 web server

To enable the SSL facility on Apache 1.3, an SSL (Digi-SSL™) certificate is required.
Digi-SSL™ certificate can be obtained directly from Digi-Sign and requires a CSR (Certificate Signing Request) code.
A CSR is a file/string containing your certificate application information, including your Public Key, Company Name and the Common Name (in most cases FQDN - Fully Qualified Domain Name host name).

Generate your CSR and then copy and paste the contents of the CSR file into the

Apache Secure Authenticated Access

IMAGE



Digi-Access™ Setup and Implementation on Apache 1.3 (mod_ssl) Web Server

1. Enabling SSL communication security on Apache 1.3 web server
1.1 Generating a Certificate Signing Request (CSR) using Apache 1.3
1.2 Installing your Digi-SSL™ Certificate on Apache 1.3
1.2.1 Installing your Digi-SSL™ Certificate
1.2.2 Installing the CA Chain file containing the Root & Intermediate Certificates