How can I configure the Apache httpd to trust specific client certificates?
We need to restrict the access to a webservice to a specific (known) partner's servers.
We planned to use an CA-based solution for this (a trusted CA which would only sign trustworthy CSRs as we accepted them); however, our company's CA will not create Certificates for external companies.
In order to establish the secured connection anyway, until the necessary PKI is ready, we wanted to configure specific client certificates as trusted on our Apache httpd proxy.
But httpd does not accept connections by the clients, which are trying to connect by using the client certificate, which has been added to the CACertificateFile (concatenated x509 certificates encoded in Base64 and of DER format(PEM)), configured for the virtual host.
The client certificate is in this case not a self-signed certificate.
Generate your client certificate. Transfer the client certificate to a location accessible to the z/OS Connect server. On the z/OS Connect server, import the client certificate into the server truststore. The following example shows the keytool command to import the client certificate into the server truststore.
On the taskbar, click Start, and then click Control Panel. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off. Expand Internet Information Services, then select Client Certificate Mapping Authentication, and then click OK.
If you want to turn on SSL/TLS trust for that certificate, go to Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate.
You should configure the CA certificates you trust via SSLCACertificateFile
or SSLCACertificatePath
and use SSLVerifyClient
(optional
or required
, not optional_no_ca
, which wouldn't perform any authentication) to make the server request a client certificate.
If you use SSLVerifyClient
directly within your VirtualHost
section, the client certificate will be sent during the initial handshake. If you put it within a Directory
/.htaccess
, the client certificate will be re-negotiated.
It's easier to debug when the certificate is sent in the initial handshake, since the client certificate itself won't be encrypted. You should be able to see it by looking at the traffic with Wireshark (in the Certificate
message sent by the client). When debugging, it's worth checking that a Certificate Request
message is sent by the server, and looking at its certification authorities list.
A typical cause of problem would be a client that doesn't recognise that list or a client that doesn't send its intermediate CA certificates in its chain, if needed.
If you then want to authorise certain certificates more specifically, you can check variable SSL variables (e.g. SSL_CLIENT_S_DN_*
) and use it in an SSLRequire
directive (see example).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With