Chrome doesn't prompt to use a local certificate after setting up client certificate authentication on Apache

Question

I have used this guide to set up client certificate authentication on Apache.

I verified my certificate using the openssl verify directive (it's valid), I also successfully imported the PFX file into my macOS Keychain and set it to "Trust always".

Additionally, I created a new .htaccess document in the /admin directory of my website and filled it with two lines:

SSLVerifyClient require
SSLVerifyDepth 10

The idea is of course to limit access to the admin panel via the client certificate.

Now, when I access my /admin page in Chrome, I get this:

So, things seem to work. The issue is, that the browser does not prompt me in any way to provide the local certificate I imported in Keychain, which prevents me from actually accessing the /admin resource.

What am I missing?

Answer 1

Chrome doesn't support post-handhsake authentication, that is, renegotiating SSL and sending a client certificate when the connection is already established, because (from the Chrome bugreport page)

Post-handshake authentication has a mess of security, semantics, and DoS issues. (...) Some spec work is needed to make it defined in HTTP/1.1 at all and, more importantly, explicitly undefined in HTTP/2 in favor of a multiplexing-friendly solution (...)

In Firefox, you can turn it on, but it is not enabled by default, for the same reasons Chrome does not implement it.

You can check the bug reports (Firefox, Chrome) for additional info.

I think what you can do is to set the SSLVerifyClient to optional, move it to the VirtualHost level (with any SSL* directives, so the certificate will be requested during handshake), and require the presence of a certificate in the .htaccess file like this:

AuthName "Admin resource"
AuthType Basic
Require ssl-verify-client