Published on Digi-Sign, The Certificate Corporation (https://www.digi-sign.com)

Home > Digi-Access™ (part II)

Digi-Access™ (part II)

By Digi-Sign
Created Feb 19 2008 - 12:40

Client Certificate Authentication

  • Add the following directive line into your site/directory configuration section:

    • SSLVerifyClient require

      This directive sets the Certificate verification level for the Client Certificate Authentication. Notice that this directive can be used both in per-server and per- directory context. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. In per-directory context it forces a SSL re-negotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.
  • The following levels are available for level:
      • none: no client Certificate is required at all
      optional: the client may present a valid Certificate
      require: the client has to present a valid Certificate
      optional_no_ca: the client may present a valid Certificate but it need not to be (successfully) verifiable.
      In practice only levels none and require are really interesting, because level optional doesn't work with all browsers and level optional_no_ca is actually against the idea of authentication (but can be used to establish SSL test pages, etc.)
  • Add the following directive line into your site/directory configuration section:

    • SSLVerifyDepth 10

      This directive sets how deeply mod_ssl should verify before deciding that the clients don't have a valid certificate. Notice that this directive can be used both in per- server and per-directory context. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. In per-directory context it forces a SSL re-negotiation with the reconfigured client verification depth after the HTTP request was read but before the HTTP response is sent.
      The depth actually is the maximum number of intermediate certificate issuers, i.e.: the number of CA Certificates in CA Chain, which are max allowed to be followed while verifying the client certificate [1]. A depth of 0 means that self-signed client certificates are accepted only, the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e.: the CA's certificate is under SSLCACertificatePath), etc.
  • Depending on the Digi-Access™ implementation level, you may need to add the following directive(s) to enable a customized authentication rules if you choose the Apache web server to be the authentication level:
      • SSL Require

      This directive specifies a general access requirement which has to be fulfilled in order to allow access. It's a very powerful directive because the requirement specification is an arbitrarily complex Boolean expression containing any number of access checks.

Source URL: https://www.digi-sign.com/support/digi-access/apache%20section2.2b

Links:
[1] https://www.digi-sign.com/digital+certificate