Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Strong authentication with Apache and PKI-issued certificates

This kind of authentication is ideal to grant your employees access to internet resources. Consult our offer on our certificates comparison chart's PKI section, but you can also use unitary client certificates.

Preamble: your server must be configured as a SSL server.

In your SSL VirtualHost, place 2 instructions:

SSLCARevocationPath conf/ssl.crl/
SSLCACertificateFile conf/chain-my-pki.txt

The SSLCARevocationPath concerns the revocation. See Management of revocation lists in Apache
to manage revocations.
The SSLCACertificateFile describes your PKI certification chain. The file must contain the certification chain used to issue your PKI certificates. To generate this file, find the authority signing your certificates and store in a file the certificate displayed on the page, see Intermediate certificates . Then click the 'chained with' link to find the previous certificate and add this certificate to your file. Go on until the last certificate. Place the generated file and make sure Apache is compiled with a recent version of OpenSSL 0.9.7 or higher.

In a repertory, place:

SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 4

to activate the client certificate request and specify the chain's maximum length.

Then specify which filter will grant access to your users.

SSLRequire  %{SSL_CLIENT_I_DN} eq "/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=Terms and Conditions:
http://www.tbs-internet.com/CA/repository/OU=TBS INTERNET CA/CN=TBS X509 CA persona" \
and %{SSL_CLIENT_S_DN_O} eq "ORGANIZATION-NAME" \
and %{SSL_CLIENT_S_DN_OU} eq "internal staff" \
and %{SSL_CLIENT_S_DN_C} eq "FR"

Here, the first line checks the authority that has issued the certificate (if you followed our instructions and only allowed one CA, this test is redundant. IT is useful if you allowed several CAs).
The second line checks that the certificate is for your organization's name.
The third line checks that the certificate is for your organization's unit.
The fourth line checks that the certificate is for a French organization.

Our example filter authorizes all certificates issued for your organization unit. You can write more strict instructions, for example to only grant some users access, add:

%{SSL_CLIENT_S_DN_Email} in {"root@domain.com", "system@domain.com", "chef@domain.com"}

Useful links