picture of tbs certificates
picture of tbs certificates
Our products range

Strong authentication with Apache and multi-CA-issued certificates

If you can't require your users to use X509 Sign & Login TBS certificates (cheap and simple), then you'll have to manage multiple CAs.

Preamble: your server must be configured as a SSL server.

The difficulty of working with multiple and different authorities is to reference the ones you will allow. It is necessary because you need to make sure those authorities certification policies are consistent with what you are planning to do (authentication quality). Moreover, you'll have to manage CAs' CRLs. That's the reason why you should limit the number of authorized CAs.

In your SSL VirtualHost, place 2 instructions:
SSLCARevocationPath conf/ssl.crl/
SSLCACertificateFile conf/chain-my-ca.txt
The SSLCACertificateFile instruction points to a file containing the list of CAs you have referenced. Note that you have to place each CA's entire certification chain (and avoid duplicates). To generated this file and find the authorized authorities (and their respective chain), see Intermediate certificates or ask the CA. Place this file in the SSLCARevocationPath instruction. You'll also have to plan the revocation management for each CA. See Management of revocation lists in Apache
Make sure your Apache is compiled with a recent version of OpenSSL 0.9.7 or higher.

In a repertory, place:
SSLVerifyClient require
SSLVerifyDepth 4
to activate the client certificate request and specify the chain's maximum length.

Then restrain access to a users group. You cannot grant access to any owner of a certificate issued by a public authority. Even if it is possible, we won't use Apache filters, they are too static.

Authentication outside Apache

You use a programming language to log into an application (logon). Traditionally you use a username + password to find the user in your IS and authenticate it.

You can use the certificate and its fields to authenticate the user. To do this it is recommended to extend your table containing the users to add:
  • An ID from the certification authority (the issuer fields group for example)
  • An ID of the field to compare (usually the email one)
  • The content of the ID field that will be compared
With this, in your preferred language, you will recover fields provided by Apache which decompose the client certificate to facilitate its exploitation (see the doc for Apache2.4+). Then prepare a request on the triplet:
(CA ID, field type, content)
A user is identified when there is a match on each field.

Authentication in Apache

If you do not want to manage the client certificate acceptation via the software, you can also use Apache.

The mechanism provided is limited. You'll only be able to filter the subject field of the client certificate. It is risky if you authorized several CAs. Indeed there is no guarantee an other CA won't issue a certificate with the same subject but to an other user.